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ABSIRACr 

This  publication  describes  a  set  of  solutions  to  the  problem  of  intrusion  into 
government  and  private  computers  via  dial-up  telephone  lines,  the  so-called 
"hacker  problem".  There  are  a  number  of  minimum  protection  techniques  against 
these  people  and  more  nefarious  intruders  that  should  be  used  in  all  systems 
that  have  dial-up  communications.  These  techniques  can  usually  be  provided  by 
a  computer's  operating  systan.  If  the  computer,  augmented  by  normal  security 
procedures,  does  not  have  the  capability  to  give  adequate  protection  against 
dial-up  intruders,  then  additional  software  or  hardware  should  be  used  to  shore 
up  the  system's  access  control  security. 

There  are  several  t^^s  of  hardware  devices  which  can  be  fitted  to  computers  or 
used  with  their  dial-up  terminals  to  provide  additional  communications 
protection  for  non-classified  computer  systems.  These  devices  are  organized 
into  two  primary  categories  and  six  sub-categories  in  order  to  describe  their 
characteristics  and  the  ways  they  can  be  used  effectively  in  dial-up  computer 
communications.  A  set  of  evaluative  questions  and  guidelines  are  provided  for 
systen  managers  to  use  in  selecting  the  devices  that  best  fit  the  need. 

Four  tables  are  included  which  list  devices  presently  available  in  the  four 
primary  categories,  along  with  vendor  contact  information.  No  attempt  is  made 
to  perform  any  qualitative  evaluation  of  the  devices  individually. 

KEXN0BD6:  access  control;  call-back;  communications  security;  computer  crime; 
coirputer  security;  dial-up  security;  hackers;  port  protection  devices;  security 
modems;  terminal  authentication;  user  authentication 
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It  is  new  ccmmon  knowledge  that  conoputer  enthusiasts  have  broken  into  a  number 
of  government  and  business  computer  systems.  Most  commonly,  these  so-called 
"hackers"  have  gained  illegal  access  via  the  ccmmon  dial-up  tele^ione  and  the 
communications  ports  which  are  connected  to  almost  every  corrputer  system.  They 
then  exploit  weaknesses  in  software  access  controls  to  enter  the  system  itself. 
If  many  computer  systems  are  so  poorly  protected  that  hobbyists  can  penetrate 
them  readily,  then  more  serious  adversaries  can  do  the  same.  The  true  nature 
of  this  external  intrusion  threat,  the  typical  vulnerabilities  which  make  it 
possible,  and  the  methods  which  can  be  used  to  reduce  this  problem  need  to  be 
better  understood  by  many  system  managers. 

There  are  a  number  of  ways  that  better  dial-up  communications  protection  can  be 
achieved.  Several  straightforward  and  often  readily  available  methods  can  be 
used  to  address  this  problem,  including  the  use  of  presently-available 
operating  system  features,  sinple  modifications  to  the  operating  systems,  and 
improved  administrative  security  procedures. 

In  addition  to  software  and  procedural  approaches,  a  wide  variety  of  hardware 
devices  are  on  the  market  today  which  can  do  a  creditable  job  of  protecting 
dial-up  lines  entering  a  computer.  However,  there  are  some  potential  problems 
for  the  unwary  purchaser.  These  devices  perform  the  communications  protection 
function  in  several  different  ways,  which  can  be  confusing  to  the  potential 
purchaser,  ^feny  of  the  devices  tend  to  be  inefficient  or  require  the  user  to 
do  additional  steps  that  may  not  be  acceptable.  The  prices  vary  considerably. 
Other  features,  particularly  the  level  of  protective  strength,  vary 
substantially  among  the  devices. 
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Perspective  aiy^  mr^^3Si,|t;fiST« 

It  is  iiiportant  to  view  the  dial-up  intrusion  problem  in  the  context  of  the 
organization's  total  carputer  security  program  [FIPS31] ,  and  not  as  a  separate 
issue.  Control  of  access  to  computer  systans  is  not  a  new  problem  in  computer 
security,  regardless  of  the  publicity  given  to  the  "hackers".  However,  it  is 
very  easy  to  give  undue  weight  to  that  new  problem  and  over-react  to  it.  It  is 
also  possible  to  select  a  protective  device  or  technique  that  provides  little 
actual  protection  from  the  most  inportant  threats  facing  the  system  or  costs 
too  much  compared  to  the  anticipated  threat  level. 

Before  seeking  seme  form  of  protection  from  dial-up  intruders,  the  system 
manager  should  determine  the  risk  level  of  the  system  to  this  threat.  The 
techniques  of  risk  analysis  should  be  used  to  analyze  the  computer  system, 
telecaranuni cations  and  facility  in  terms  of  threats,  vulnerabilities,  and 
iirpacts  due  to  harmful  events  (see  [FIES31] ,  [FIES65] ,  and  [1SBS85] ) .  Based  on 
the  outcome  of  this  analysis,  a  series  of  control  measures  or  safeguards  can  be 
selected  that  are  both  cost  effective  and  provide  the  necessary  level  of 
•  protection.  The  National  Bureau  of  Standards  (NBS)  has  developed  a  number  of 
documents  which  aid  in  this  selection  process.  In  particular,  see  [FIPS73] , 
[FIPS112] ,  [NBS77] ,  [NBS78]  ,  [NBS78B] ,  and  [NBS80] .  Ohe  complete  process  of 
risk  analysis  and  control  measure  selection  is  called  risk  management. 

1.2  Purpose  of  i-t^^g  "fv^Tqiait. 

This  document  v/ill  help  the  system  manager  make  an  informed  decision  whether  to 
install  additional  security  on  the  ccnputer  system's  dial-up  lines.  It  will 
also  help  the  manager  determine  what  kind  of  software,  hardware,  procedural 
mechanism,  or  ccmbination  of  these,  is  most  suitable  to  provide  the  necessary 
level  of  protection. 

Six  different  hardware  approaches  to  improving  dial-up  security  will  be 
described.  These  categories  are  portrayed  in  Figure  5-1,  Hardware 
Communications  Protection  Alternatives.    Also,  all  of  the  commercial  products 
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presently  available  in  four  of  these  categories  are  listed  in  Tables  1  through 
4,  which  are  contained  in  Appendix  A. 

In  addition,  a  number  of  dial-up  security  techniques  that  can  be  added  to  the 
computer's  operating  system  or  incorporated  into  system  management  or 
administrative  procedures  will  be  described.  In  many,  if  not  most,  cases 
additional  hardware  protection  may  not  be  required  if  these  procedures  are 
carefully  followed  in  managing  the  computer's  presently  available  set  of 
security  features. 
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This  section  describes  certain  minimum  controls  which  should  be  used  in  a 
computer  system  in  order  to  provide  adequate  protection  from  intruders  using 
dial-up  communications.  Hie  advent  of  ccmputer  hackers  has  raised  public 
consciousness  about  the  potential  vulnerability  to  dial-up  penetration,  but  in 
many  systems  these  weaknesses  have  been  there  all  along.  Before  specific 
methods  of  protection  are  described,  it  is  appropriate  to  discuss  the  general 
forms  of  conputer  security  controls  that  can  address  this  threat.  There  is  a 
basic  set  of  objectives  that  systen  access  control  mechanisms  should  meet  in 
order  to  provide  adequate  dial-up  protection. 

2,1   General  System  Access  Control  Objectives 

The  first  set  of  objectives  applies  to  any  system  which  must  be  available  for 
use  when  needed  or  must  safeguard  the  information  contained  in  it  from  harm  or 
disclosure  to  unauthorized  persons.  This  includes  almost  any  system  used  in 
business  today,  even  personal  computers.  To  lay  a  foundation  for  later 
discussion,  it  will  be  useful  to  explore  the  rationale  for  using  ccmputer 
system  access  control  mechcjnisms  of  any  type.  What  do  we  hope  to  achieve  ty 
means  of  coitputer  system  access  control,  v^ether  it  is  based  in  hardware  or 
software? 

2.1.1  Access  by  Leqitlnate  Users.  The  primary  reason  for  making  use  of 
access  control  measures  is  to  ensure  that  only  legitimate  users  may  gain  access 
to  the  cornputer  system  and  its  resources.  We  simply  want  to  make  sure  that 
properly  authorized  individuals  or  groups  of  people  can  use  the  computer 
according  to  their  needs.  The  conputer  system  must  be  viewed  as  a  very 
precious  and  valuable  resource  to  the  organization  which  operates  it,  both  in 
terms  of  the  processing  power  it  provides  and  the  information  available  through 
it.  Further,  most  organizations  are  highly  dependent  upon  their  computer 
systems  and  Ccinnot  afford  to  have  processing  disrupted  or  delayed.  Therefore- 
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it  is  important  that  only  people  with  a  need  to  know  or  a  need  to  perform 
authorized  activities  be  able  to  use  a  particular  computer  system^  It  is 
equally  important  that  persons  with  a  reason  to  harm  the  organization  be  barred 
frcm  gaining  any  access  to  the  system. 

2.1.2  Authorized  Functions.  The  second  general  objective  of  system  access 
control  is  that  users  may  only  perform  functions  authorized  than,  once  they 
have  been  admitted  to  the  carputer  system.  This  objective  is  often  not  fully 
achieved  in  many  business  systens.  In  computer  security  terms,  we  can  think  of 
the  whole  computer  system  domain  as  comprising  a  group  of  subjects,  which 
perform  functions  or  use  system  resources,  and  a  group  of  objects  of  these 
functions  (see  Figure  2-1) .  Subjects  may  be  system  users  or  application 
programs,  and  objects  are  the  entities  in  the  system  which  they  may  use  or  act 
upon,  such  as  files,  other  programs,  or  data  base  records. 

A  set  of  conditions  may  also  be  described,  under  which  specific  subjects  may 
act  upon  specific  objects,  for  example  the  granting  of  read-write-execute 
permissions,  or  permitted  use  of  a  program  only  within  specified  hours,  and  so 
forth.  With  regard  to  comrriuni cations,  it  is  often  appropriate  to  set  the 
ability  to  gain  access  to  the  carputer  via  dial-up  tele^ione  as  one  condition 
of  use.  This  condition  normally  should  not  be  available  to  every  system  user. 
Hwever,  in  many  systems,  there  is  no  practical  way  to  enforce  the  condition  of 
dial-up  access  by  means  of  the  operating  system  or  application  programs. 

The  set  of  subject-condition-object  relationships  that  comprise  the 
access/authorization  needs  for  a  particular  system  can  be  described  by  a  set  of 
rules,  one  for  each  relationship.  These  rules  can  then  be  incorporated  into 
the  operating  system  in  some  form,  and  used  to  mediate  all  access  requests  for 
system  objects.  Certain  operating  systeins  provide  this  ability,  and  software 
packages  that  do  this  are  available  for  some  large  systcans.  In  defining  the 
system  security  requirements  for  a  connputer  system,  or  even  an  application,  it 
is  often  useful  to  develop  this  set  of  rules  formally. 
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********************* 

*  * 

*  SUBJECT  * 

*  * 
********************* 

* 
* 
* 
* 
* 
* 

******************> 


Users 

Applications 


OBJECT  EXAMPLES; 
Files 
Programs 
Data  Bases 
Records 


********************* 

*  * 

*  CONDITION  * 

*  * 

********************* 
* 
* 
* 
* 
* 
* 

******************> 


CONDITION  EXAMPLES: 
Read/write/execute 
Tiire  of  day 
Ccmmunications  mode 


********************* 

*  * 

*  (BJECT  * 

*  * 
********************* 


Figure  2-1   Authorized  Functions  —  Access  Control  Matrix 


The  above  access  control  security  objectives  are  appropriate  for  any  ccnputer 
system,  although  in  less  sophisticated  systems  it  may  be  difficult  to  carry  out 
the  second  objective  because  of  weaknesses  in  the  operating  system.  For 
presently-available  personal  ccanputers,  it  is  not  possible  to  achieve  either 
objective  without  tlie  use  of  add-on  devices  or  software  of  sane  sort. 


2.2   Dial-Dj3  Access  Issues 

Any  user's  terminal  or  printer  is  connected  to  a  computer  by  means  of  some  form 
of  communications.  For  security  purposes,  it  is  useful  to  group  the  forms  of 
communications  between  a  user  and  a  computer  into  direct-connect  and  dial-up 
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access.  Direct  connect  access  encompasses  any  form  of  connection  or  circuit 
that  is  dedicated  for  use  between  the  computer  and  a  specific  terminal  or  other 
device,  Exairples  of  dedicated  connections  include  a  direct  wire  iDetween  the 
two,  a  local  link  such  as  a  local  area  network,  or  a  leased  telejAione  circuit. 
These  are  much  easier  to  control  than  the  dial-up  connection. 

The  typical  dial-up  conmunications  circuit  differs  from  direct  connection  in 
that  the  major  portion  of  the  linkage  consists  of  the  public  telejiione  network. 
The  very  nature  of  dial-up  communications  implies  that  the  user  may  be  anywhere 
in  the  world  that  the  telephone  network  reaches.  Anyone  who  comes  into 
possession  of  the  telephone  number  for  a  conputer's  dial-up  port  may  attempt  to 
gain  access.  The  computer,  then,  must  assume  the  job  of  screening  incoming 
calls  to  verify  that  the  terminal  connection  itself  is  valid. 


Figure  2-2   Dial-up  Circuit  —  Normal  Configuration 
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The  objectives  of  dial-up  conmunications  security  are  somewhat  different  from 
the  general  security  objectives,  because  they  must  deal  specifically  with  this 
need  to  perform  effective  call-screening.  Present  operating  system  access 
controls  may  do  the  job,  but  this  ought  to  be  verified  carefully.  Several 
security  issues  become  more  important  under  conditions  where  dial-up 
communications  are  used. 

2.2.1  Prf^^mi|]ti<ai  of  Legitimacy.  There  can  be  some  small  presumption  of 
legitimacy  with  direct-connect  users,  but  none  at  all  for  those  who  connect  via 
the  telephone  system.  By  virtue  of  the  fact  that  a  person  is  attempting  to 
gain  access  via  a  dedicated  circuit  of  seme  sort,  it  is  possible  to  construe 
that  the  individual  has  legitimate  physical  access  to  the  terminal.  One 
feature  of  dedicated  or  direct-c»nnect  links  is  that  the  physical  locations  of 
all  devices  connected  to  then  are  usually  known.  Hopefully  also,  these  devices 
are  under  sane  form  of  organizational  access  control  or  physical  security.  In 
this  case,  it  is  usually  correct  to  assume  that  the  user  is  an  employee, 
although  not  necessarily  a  valid  system  user. 

In  the  case  of  dial-up  connections,  there  is  absolutely  no  assurance  that  the 
potential  user  attempting  connection  has  any  legitimate  reason  to  gain  access 
to  the  system.  There  is  no  simple  way  that  any  physical  control  can  be 
exercised  over  the  dial-up  terminal,  the  common-user  portion  of  the 
conmunications  circuit  (the  public  telephone  system)  or  the  user  to  bolster  any 
presumption  of  legitimacy. 

2.2.2  Information  Recess  Restrictions.  The  threat  of  harm  due  to  information 
disclosure  is  typically  greater  from  those  who  have  no  pre-defined  connection 
with  the  organization.  In  the  course  of  their  duties,  employees  often  have 
routine  access  to  sensitive  "company  proprietary"  information  that  requires 
protection  from  outsiders.  If  the  system  has  dial-up  access  capability,  this 
information  must  be  given  greater  protection  than  if  no  dial-up  were 
permitted.  One  might  use  the  analogy  of  permitting  relatives  in  the  house 
versus  protecting  against  housebreakers.  If  inadequate  locks  were  used  on  the 
doors,  it  would  be  foolish  to  store  valuables  in  the  house.    If  locks  are  used 
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properly,  then  it  becanes  easier  to  identify  whether  the  relatives  have  stolen 
anything. 

2,2.3  Mpnitoriiyr  ccvsm ica tioos  Events.  If  dial-up  access  is  permitted,  then 
conmunications  events  should  be  monitored  for  two  basic  reasons.  It  would  be 
useful  to  evaluate  how  effectively  the  legitimate  users  are  interacting  with 
the  system  and  whether  they  are  having  problems  that  require  additional 
instruction.  More  importantly,  a  way  is  needed  to  identify  any  external 
attacks  on  the  system,  such  as  a  series  of  failed  log-on  attempts.  From  a 
security  perspective,  it  is  crucial  to  be  able  to  knew  when  the  system  is  being 
attacked,  so  that  stronger  defense  techniques  may  be  used  or  the  police  may  be 
notified  when  warranted. 

2.3  A  tfew  Concept 2    Protection  nf  r>jai-^  Circuits 

Using  hardware  devices  to  protect  the  conputer's  dial-up  ports  and  its  external 
communications  lines  is  a  fairly  new  idea  for  almost  everyone  who  has  not 
worked  closely  with  military  or  government  secrets.  Mien  the  conmunications 
circuits  are  directly  protected  from  intruders,  the  organization  can  be  less 
dependent  upon  standard  operating  systems,  whose  access  control  mechanisms  are 
often  weak,  to  shield  the  computer.  As  the  sensitivity,  criticality,  and  need 
for  accuracy  of  the  information  in  a  system  with  dial-up  capability  increases, 
this  speciaj.  form  of  protection  becomes  more  iir^xDrtant. 

2.4  Special  Measures  to  Protect  Dial-i^  Ports 

Three  security  measures  are  extremely  valuable  in  protecting  a  carputer  from 
the  threat  of  system  intruders  gaining  access  via  the  dial-up  telejiione 
system.  Biese  measures  are  available  for  use  in  sane,  but  not  all,  canputer 
operating  systsns.  Other  systens,  especially  personal  computers,  are  not  able 
to  provi<fe  these  capabilities  without  modification.  If  the  three  measures  are 
not  available,  it  is  possible  to  provide  this  same  protection  by  adding  special 
external  devices  which  are  discussed  below.    A  fourth  security  measure  may  help 
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in  preventing  access  and  also  in  protecting  the  information  being  transmitted 
from  disclosure  or  tampering. 

2.4.1  Highly  Effective  Dser  Identification.  Ihe  keystone  of  all  access 
control  is  effective  identification  and  authentication  of  users.  This  normally 
means  the  use  of  a  well  administered  user  name  and  password  process.  When  this 
standard  mechanism  is  not  available  or  is  weak  because  of  poor  administrative 
practices  or  other  reasons,  a  number  of  other  access  control  techniques  can 
provide  the  same  capability.  Most  external  dial-up  protection  devices  address 
this  weakness. 

2.4.2  Security  Event  Logging.  The  syston's  own  journalling  or  logging 
capability  should  always  be  used  to  monitor  all  communications  activity  with 
the  host,  to  determine  system  usage,  identify  user  difficulties  and  uncover 
intrusion  attempts.  An  effective  log  that  is  routinely  reviewed  will  help  the 
security  administrator  to  make  an  appropriate  response  to  penetration  threats 
or  system  misuse.  Without  this  ability,  there  is  usually  no  way  for  the  system 
manager  to  determine  before  sane  damage  takes  place  whether  intrusion  attempts 
are  occurring.  If  adequate  system  journalling  is  not  possible,  as  is  the  case 
with  many  smaller  or  less  sophisticated  systems,  several  devices  can  be  fitted 
which  perform  this  function  as  part  of  a  dial-up  user  access  control  strategy. 

Limiting  "Brute  Force*  Attacks.  Brute  force,  or  using  a  computer  to 
attack  another  computer,  is  the  single  most  common  approach  that  an 
unsophisticated  attacker  will  use.  An  exanple  of  this  technique  is  a  program 
that  generates  and  tries  a  series  of  passwords  one  after  another.  Mechanisms 
that  limit  the  effectiveness  of  "brute  force"  repetitive  attacks  will 
significantly  reduce  the  likelihood  of  a  successful  attack  fran  an  intruder. 
Any  mechanism  which  prohibits  more  than  a  very  small  number  of  log-on  attenpts 
per  connection  is  very  useful  here. 

2.4.4  Protecting  Information  from  Disclosure.  It  may  be  appropriate  to 
protect  the  information  being  transmitted  between  terminal  and  computer  from 
disclosure  or  tampering.  It  is  often  very  easy  to  intercept  standard  dial-up 
traffic  by  means  of  wire  taps.    It  requires  only  a  slightly  more  sophisticated 
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intruder  to  modify  and  retransmit  information  that  has  been  intercepted. 
Mechanisms  that  encrypt  the  information  on  the  line  can  prevent  disclosure,  and 
mechanisms  that  authenticate  the  message  contents  can  detect  modifications. 
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3.    OOMPN  OOWCNICaTICTB  WEftKNESSES  IN  OQMPOTER  SYSTEMS 

Corrputer  system  intruders,  whether  they  are  hackers  or  more  serious  criminals, 
could  not  be  successful  if  there  were  not  one  or  more  serious  weaknesses  in  the 
systems  tliey  attack.  This  section  discusses  the  general  nature  of  these 
weaknesses,  so  that  a  set  of  strategies  may  be  developed  to  overcome  them. 

3.1   Typical  Computer  Syston  Security  Considerations 

The  typical  conputer  system  is  a  set  of  hardware,  software,  and  administrative 
procedures,  each  with  potential  security  weaknesses.  The  most  iirportant  aspect 
of  the  hardware  for  ccrnmunications  security  purposes  is  the  set  of  user 
terminals  and  the  way  they  are  attached  to  tlie  system.  The  software  consists 
of  the  operating  system,  perhaps  one  or  more  data  base  management  systems,  sets 
of  information  files,  and  numerous  applications  programs.  Of  these,  the 
operating  system  is  the  main  key  to  access  control.  Procedures  for  managing 
the  hardware  and  software  assets  can  support  or  hincter  overall  system  security. 

3.1.1  Operating  System  Strength,  The  operating  system  is  the  canputer's 
primary  protection  mechanism.  It  can  be  viewed  conceptually  as  surrounding  the 
other  types  of  software  and  the  files,  because  all  access  to  these  is  gained  by 
means  of  operating  system  commands.  Therefore,  the  inherent  resistance  of  a 
coitputer  system  to  intruders  can  be  measured  by  the  strength  of  the  operating 
systan's  access  control  mechanisms. 

3.1.2  Ifamerous  Ports.  The  computer  hardware  supports  a  number  of  physical 
and  logical  ports  that  are  used  for  connection  of  terminals  and  other  external 
devices.  In  the  simplest  sense,  a  port  is  a  socket  into  which  a  dedicated 
terminal  or  modem  is  plugged  so  that  it  may  canmunicate  with  the  host. 
Normally,  there  is  no  special  hardware  protection  for  these  ports,  and  often 
the  hardware  provides  no  way  to  inform  the  operating  system  that  an  incoming 
user  has  gained  access  via  a  dial-up  modem  instead  of  a  dedicated  circuit. 
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3.1.3  External  T.inlcs.  in  most  systems,  the  computer  does  not  treat  external 
communications  links  via  dial-up  modems  differently  from  direct  terminal 
connections  in  terms  of  system  access.  It  is  ccrnmon  that  all  users,  regardless 
of  access  mode,  are  normally  viewed  by  the  operating  system  as  being  equal  for 
access  purposes. 

3.2   Cggpon  Mainframe  and  Minicoanputer  System  Weaknesses 

Most  corputer  access  control  weaknesses  arise  from  inadequate  or  ineffective 
use  of  capabilities  that  are  already  available  on  the  average  system.  Often, 
this  is  so  because  the  system  managers  have  an  inadequate  perception  of  the 
risk  level  due  to  intruder  penetration.  These  weaknesses  tend  to  be 
AmiNISTE^IVE,  rather  than  technical.  The  typical  intruder,  v^ether  he  or  she 
belongs  to  the  organization  or  is  an  outsider,  does  not  demonstrate  a  high 
degree  of  sojiiistication  in  the  dial-up  attacks.  For  the  attacks  to  succeed, 
human  failure  to  adhere  to  sound  security  practices  have  usually  provided  the 
means. 

302.1  Password  Dfanagement,  The  largest  single  security  weakness  in  many 
computer  systems  is  password  selection  and  administration.  The  most  common 
faults  are  inadequate  password  change  frequency  and  permitting  the  user  to 
select  his  or  her  own  passwords.  The  result  is  that  many  systems  contain 
numerous  trivial  passwords  that  remain  in  effect  for  long  periods  of  time. 
These  become  known  to  disgruntled  insiders  or  can  be  easily  guessed  by 
outsiders.  The  issue  of  valid  system  password  procedures  is  addressed  in 
Section  4.1  of  this  document  and  in  [FIES112] . 

3.2.2  System  Privileges.  Many  medium-sized  computers,  or  minicomputers,  tend 
to  have  relatively  informal  system  management.  In  these  cases,  there  often  are 
inadequate  controls  over  assignment  of  "super-user"  or  supervisory-level  access 
privileges.  It  is  common  in  these  systems  that  a  number  of  users  have  been 
granted  this  level  of  access  when  they  do  not  have  a  strict  need  for  it.  Uie 
supervisory  access  level  permits  a  user  to  perform  any  action  in  the  system. 
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even  the  ability  to  change  global  system  security  provisions  or  modify  system 
journals  or  logs.  If  an  intruc3er  is  able  to  gain  access  via  this  level  of 
privilege,  harm  of  the  most  serious  type  may  result.  The  worst  cases  of  system 
intrusion  followed  by  damage  have  occurred  in  systems  which  retained  the  user 
identification  and  password  codes  originally  supplied  with  the  equipment  by  the 
computer  vendor,  because  these  codes  have  full  systen  privileges  and  are  well 
known. 

3.2.3  vajjanoe  Detection.  In  computer  security,  a  basic  rule  is:  if  you 
can't  reliably  prevent  a  harmful  event,  then  do  a  good  job  of  detecting  it  so 
that  you  can  correct  the  problem  before  it  gets  out  of  hand.  Variance 
detection  mechanisms,  usually  consisting  of  system  event  logging  plus  a  means 
of  analyzing  the  logs  for  security  variances,  are  the  primary  means  to  do 
this.  Frequently,  information  useful  for  this  purpose  may  be  collected  via 
system  logging  but  analysis  and  follow-up  actions  are  either  tardy  or 
incomplete. 

3.2.4  Operating  System  C^ability.  It  is  often  the  case  that  inadequate  use 
is  made  of  present  operating  system  security  capability.  For  example,  system 
loggers  for  medium  and  large  scale  systems  are  able  to  collect  a  large  number 
of  different  types  of  information  about  system  events,  many  of  which  are 
security  related.  Hcv/ever,  this  capability  must  be  enabled  by  setting  the 
appropriate  software  switches,  which  is  often  not  done.  Additionally, 
operating  systems  may  have  an  unused  capability  of  terminating  log-on  sequences 
after  a  selectable  number  of  invalid  attempts,  recording  such  an  event  in  the 
system  logger,  and  then  disabling  the  port  for  a  certain  period.  There  are 
often  other  inherent  security  features  which  are  not  fully  exploited,  such  as 
the  ability  to  pre-define  user  privileges  rigorously  according  to  need  or  to 
force  users  to  stay  within  certain  boundaries,  such  as  specific  directories  or 
application  systems. 
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3.3   Personal  CoaipatBZ  Seairity  Weaknesses 

Although  personal  carputers  (PCs)  are  rapidly  becoming  an  important  part  of  our 
total  computing  resources,  they  typically  have  no  inherent  security  controls  of 
any  type.  Ihere  are  a  variety  of  supplemental  control  mechanisms  which  are  now 
on  the  market  for  various  types  of  PC  that  can  be  installed  by  the  user 
organization.  Discussion  of  those  mechanisms  is  outside  the  scope  of  this 
document y  but  the  subject  of  PC  protection  is  covered  in  substantial  detail  in 
[1SBS85] ,  Seme  of  the  securi  ty  features  that  are  desirable  in  connection  with 
dial-up  access  control  and  usage  but  are  missing  from  this  class  of  computer 
are  described  below. 

3.3.1  System  Privileges.  The  operator  of  a  PC  normally  has  easy  and  full 
access  to  all  system  capabilities.  There  is  no  such  thing  as  a  privileged  or 
supervisory  execution  state,  in  vdiich  security  controls  may  be  specified.  This 
is  perhaps  the  most  significant  security  weakness  of  the  PC,  and  causes  many  of 
the  following  problems. 

3.3.2  User  Ident if ication .  These  computers  have  absolutely  no  inherent 
ability  to  identify  and  authenticate  users,  or  to  establish  any  hierarchy  of 
system  privileges  for  different  types  of  users,  lihen  a  PC  is  "booted"  (turned 
on  or  reset)  s,  it  imnediately  begins  to  follow  the  commands  of  the  person  who 
turns  it  on.  Although  "batch"  command  files  are  often  used  for  system  control, 
these  are  easily  bypassed  by  anyone.  If  the  PC  is  used  with  a  modem  in  a 
remote-access  mode,  the  same  problem  exists. 

3.3.3  System  Utilities.  One  of  the  more  desirable  PC  features  from  the  user's 
viewpoint  is  the  easy  use  of  powerful  system  utilities  to  operate  on  files  and 
their  contents.  Simple  commands  permit  the  user  to  create,  modify,  and  delete 
files  or  programs.  As  seme  users  have  unfortunately  found,  it  is  just  as  easy 
to  totally  erase  the  contents  of  the  10-megabyte  hard  disk  via  incorrect 
calling  of  the  commonly  used  "format"  command. 

3.3.4  File  Protection.  Most  larger  systems  permit  the  administrator  to 
protect  programs  or  files  by  defining  the  specific  authority  of  individuals  or 
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groups  of  users  to  read,  write,  or  execute  these  system  objects  (see  Section 
2.1).  In  the  PC's  DOS  operating  system,  this  capability  does  not  exist, 
because  users  cannot  be  separately  controlled  and  anyone  can  use  any  program  or 
file  in  the  system. 

3.3.5  System  Logging.  The  PC  canmonly  has  no  inherent  ability  to  do  system 
event  logging  of  any  sort.  No  provisions  exist  in  current  versions  of  most 
popular  PC  operating  systems  to  perform  this  function. 

3.3.6  Auto-Answer  Modems.  The  rising  use  of  auto-answer  modems  in  connection 
with  personal  computers  that  use  large  hard  disk  files  for  iirportant  business 
functions  creates  a  special  problem.  It  is  easy  to  set  the  corputer  up  in  a 
mode  that  anyone  who  dials  in  is  able  to  perform  any  system  function.  This 
includes  the  ability  to  make  intentional  or  inadvertent  modification  or  erasure 
of  such  files  in  any  way  the  ronote  user  chooses. 
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Hiere  is  a  set  of  control  measures  that  either  already  are  available  in  the 
typical  host  computer  operating  system  or  can  be  added  to  the  operating  systen 
with  little  effort.  In  addition,  procedures  for  administering  these  controls 
can  often  be  inproved  to  make  them  significantly  more  effective. 

4.1   ^felid  System  Password  Procedures 

It  has  been  fashionable  in  some  computer  security  circles  to  malign  the 
protective  value  of  the  lowly  but  time-honored  user  name  and  password  process. 
In  fact,  this  does  provide  a  significant  measure  of  security  if  administered 
properly.  In  most  cases,  this  may  be  all  that  is  needed,  provided  that  certain 
precautions  are  taken  so  that  the  passwords  cannot  easily  be  comprcmised.  The 
NBS  publication  [FIPS112]  provides  a  standard  for  development  and 
administration  of  a  strong  password  system.  In  terms  of  that  document,  key 
points  describing  such  a  system  and  procedures  for  managing  it  are  discussed 
belcw. 

4.1.1   tteer  Identif icaticxi  and  Passwords. 

There  are  ten  characteristics  of  a  good  password  system  described  in  [FIPS112] . 
In  brief,  they  are: 

o  large  possible  number  of  passwords,  based  on  minimum  length  (at  least 
four  characters)  and  composition  (at  least  ten  different  characters  to  select 
from)  ,  to  permit  a  minimum  of  10,000  passwords  for  the  lowest  level  of 
security. 

o     secure  storage,  entry  and  transmission  of  the  passwords  so  that  the 
password  is  protected  fron  disclosure  to  unauthorized  individuals  and  that 
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retries  after  invalid  entry  are  limited,  and  authentication  such  that  the 
password  is  required  each  time  the  individual  logs  on. 

o  ownership  and  distribution  of  passwords  should  be  controlled  in  such  a 
way  that  the  password  is  known  only  to  the  individual  owning  it. 

o  source  of  the  password  such  that  it  is  selected  at  random  or  is  not 
related  to  their  personal  identity,  history  or  envirorment. 

o  ma^drrom  lifetime  of  one  year  for  the  lowest  level  of  security,  with 
speedy  replacement  after  compromise  is  suspected  or  the  owner  is  no  longer 
authorized  access. 

4»1.2  Effective  Password  Manageaeent  Prcx;edures.  Based  on  the  above  criteria, 
it  can  be  seen  that  among  the  most  important  points  in  password  administration 
is  proper  password  selection.  If  the  passwords  are  selected  by  users,  there 
should  be  mechanisms  to  ensure  that  those  selected  are  not  short,  trivial,  or 
otherwise  easily  guessed.  In  addition,  adequate  password  change  criteria 
should  set  up  so  that  tlie  passwords  will  not  stay  active  on  the  system  after 
the  point  that  they  are  no  longer  needed  or  it  can  be  sus^cted  that 
unauthorized  persons  may  have  gained  access  to  them.  System  management 
procedures  should  ensure  that  the  system  protects  the  passwords  from 
unauthorized  disclosure. 

4.2   Systen  Event  Logging  as  Protecticm 

Automatic  logging  of  important  system  events  has  many  uses.  In  terms  of  system 
security,  logging  represents  a  warning  device  to  help  make  system 
administrators  aware  of  improper  user  practices  or  attenpts  at  intrusion.  With 
this  knowledge,  they  can  then  take  any  number  of  corrective  actions  to  reduce 
the  problem.  Without  adequate  system  logging,  there  is  usually  no  clear  way  to 
determine  that  a  system  is  being  attacked. 
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4-2, 1  What  Events  Should  be  Logged.     In  most  large  minicmputers  and 

mainframes,  a  large  number  of  system  events  can  be  automatically  logged. 
Normally,  these  must  be  specified  by  the  systems  programmer  at  system 
generation  time.  These  individuals  are  often  understandably  reluctant  to 
enable  very  much  system  logging,  because  it  does  tend  to  reduce  system 
efficiency  to  sane  extent.  However,  there  are  several  types  of  events  which  it 
is  very  inportant  to  capture  in  order  to  identify  security- related  activities 
in  the  system.  Ihe  following  events  are  most  iirportant  to  log,  but  it  should 
be  noted  that  names  given  to  these  events  in  particular  operating  systems 
varies. 

o   All  system-level  user  entry/exit  activity,  such  as  log-on  and  log-off. 

o   All  starts  and  stops  of  sensitive  processes  or  applications,  especially 
if  it  can  be  determined  that  they  are  done  by  unauthorized  individuals. 

o    All  accesses  to  sensitive  files,  especially  if  it  can  be  determined 
that  they  are  done  by  unauthorized  individuals. 

o    All  other  forms  of  access  violations,  such  as  improper  time  of  day,- 
directory,  terminal,  communications  entry  mode,  or  failed  access  attenpts. 

4.2.2  How  System  Event  Log  ShotiLd  be  Maintained.  If  at  all  possible,  user  or 
program  access  to  the  system  log  should  be  highly  controlled.  Ihe  log  should 
not  be  vulnerable  to  modification  if  the  system  is  penetrated.  The  technique 
of  system  log  nK>dif ication  is  frequently  used  by  intruders  or  internal  system 
criminals  to  cover  up  illegal  activity. 

4.2.3  ^^ianoe  Detectiomi  Methods.  In  addition  to  collection  of  the  security 
event  data,  it  is  necessary  to  create  or  obtain  a  program  to  extract  and 
display  this  data  in  formatted  reports  for  quick  and  easy  review  by  the  system 
security  administrator.  If  this  step  can  not  be  done  readily,  the  logging 
function  has  no  security  value. 
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4.3  Acx:ess  "Rules  Matrix" 

In  higher  security  systems,  it  is  appropriate  to  define  the  computer  system 
resources  in  terms  of  the  subjects,  objects,  and  conditions  of  use  described  in 
Section  2.1.  Fran  this  definition,  a  set  of  access  rules  may  be  developed  for 
each  user  that  describes  his  or  her  privileges  in  the  system.  This  rules 
matrix  can  then  be  checked  each  time  the  user  attempts  to  perform  a  function  on 
the  system.  A  number  of  minicomputers  and  mainframes  either  have  this 
capability  inherent  in  their  operating  systens,  or  commercial  software  packages 
can  be  obtained  to  perform  the  same  functions. 

4.4  Other  Systesn  Controls  Aminst  Brute  Fdroe  Penetration 

In  addition  to  the  measures  described  above,  there  are  a  number  of  other 
techniques  that  may  be  used  to  increase  the  security  of  dial-up  connections  to 
the  carputer.  Sor^  of  these  are  manual,  seme  already  exist  in  many  carputer 
systems,  and  others  require  small  modifications  to  the  operating  system.  With 
respect  to  the  latter,  a  large  number  of  operating  systems  permit  "exits"  or 
"hooks"  to  locally-developed  procedures  as  part  of  the  user  sign-on  function. 

4.4.1  Key  Principle.  The  key  principle  in  controlling  dial-up  access  to  the 
computer  is  to  identify  and  act  upon  invalid  access  attempts  [MURH'JSS] .  When 
an  access  atterrpt  fails,  it  was  caused  by  either  an  intruder  attenpting  to 
guess  valid  entry  codes  or  a  valid  systan  user  who  is  having  difficulty.  The 
system  should  not  be  so  well  secured  that  it  mkes  usage  difficult  for  the 
ordinary  legitimate  user,  yet  it  should  provide  a  strong  measure  of  protection 
from  the  determined  intruder.  One  typical  form  of  the  intruder  attack  is  to 
use  the  computer  to  perform  repetitive  access  attonpts  in  order  to  irrprove  the 
odds  of  hitting  upon  valid  access  code  sequences  and  thereby  gain  entry  to  the 
system.  This  technique,  called  "brute  force,"  requires  the  intruder  to  make  a 
large  number  of  tries  and  to  do  them  very  rapidly.  Otherwise,  the  connect-time 
via  the  telephone  will  become  very  long  and  possibly  costly  to  the  intruder. 
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It  is  important  to  count  the  number  of  invalid  ID  or  password  tries  per 
session,  because  this  is  a  give-away  to  the  "brute  force"  attack.  E^jen  the 
most  inept  legitimate  user  will  seldom  make  more  than  three  tries  before  being 
successful.  If  they  do,  then  it  is  quite  likely  they  are  using  incorrect 
sign-on  information,  which  of  course  should  be  identified  by  the  system  manager 
for  correction.  It  can  then  be  assumed  that  if  any  dial-up  user  makes  more 
than  three  invalid  sign-on  attonpts,  this  indicates  that  either  there  is  an 
inept  user  on  the  line  who  needs  help  or  the  system  is  under  attack  by  a 
determined  intruder. 

A  second  means  of  detecting  intruders  which  can  be  performed  readily  at  the 
operating  system  level  is  to  recognize  the  speed  of  sequential  sign-on 
attempts.  In  the  case  of  a  legitimate  user,  there  will  usually  be  a  few 
seconds  of  delay  from  the  time  the  user  is  notified  by  the  system  of  an  access 
failure  to  the  start  of  their  next  attempt.  In  the  case  of  the  intruder,  this 
delay  will  be  very  much  shorter  because  the  sign-on  information  will  be 
generated  automatically  instead  of  being  keyed  in  a  character  at  a  time  by 
human  fingers. 

These  two  clues,  the  speed  of  repetitive  sign-on  attempts  and  the  number  of 
attempts  per  session,  can  be  used  as  control  informtion  for  identifying  and 
dealing  witii  intruders. 

4.4.2  Limiting  Acx:ess  Attempts  per  Connection.  The  siitplest  control  is  sinply 
to  permit  no  more  than  a  few  invalid  sign-on  tries  (usually  three)  per  session. 
Once  the  limit  has  been  reached,  the  computer  can  be  forced  to  break  the 
connection.  Many  operating  systems  already  have  the  capability  to  do  this,  but 
often  it  must  be  turned  on.  A  somewhat  risky  follow-on  action  is  to  time-out 
the  line  for  sane  period  so  that  it  may  not  be  used.  Ihe  potential  problem 
with  the  time-out  tactic  is  that  it  could  possibly  be  turned  against  the 
organization  by  an  intruder  whose  intent  was  to  harass,  fcy  attacking  each  port 
in  turn  until  all  the  lines  were  tied  up. 

4.4.3  Reporting  on  Invalid  Attempts.  As  the  information  that  an  invalid 
attenpt  has  occurred  becomes  available,  based  on  criteria  described  above,  it 
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is  then  possible  to  take  iinraediate  action  if  desired.  One  way  this  oould  be 
done  is  to  have  the  operating  system  send  an  alarm  and  message  to  the  system 
security  administrator  while  the  attack  is  still  under  way.  To  be  most 
effective,  this  should  be  done  without  terminating  the  connection  or  warning 
the  intruder.  Then  it  is  possible  to  trac«  the  call  or  take  other  actions  as 
appropriate.  As  a  minimum,  these  invalid  attempts  should  be  logged  for  later 
reporting. 

4.4^4  Slowing  Down  System  Response.  Once  the  pre-set  limit  of  sign-on  attempts 
has  been  reached,  the  syston  can  begin  to  slew  down  its  responses  to  the 
attenpts  while  maintaining  the  connection.  This  has  the  effect  of  "stringing 
the  intruder  along",  and  thereby  frustrating  the  attonpt.  It  may  also  be  used 
in  connection  with  other  tactics  described  in  this  section. 

4.4.5  Dnlimited  "Dumny  Attempts.  Very  similar  to  the  above,  and  often  used 
with  it,  is  the  strategy  of  permitting  the  user  to  make  any  nimber  of  sign-on 
attenpts  without  any  possibility  of  becoming  successful.  The  overt  system 
response  to  each  attempt  would  remain  the  same,  but  the  sign-on  validation 
routine  would  enter  a  "loop"  to  give  this  response  to  every  attempt. 

4.4.6  Transmission  of  Warning  Messages.  A  variety  of  messages  may  be 
generated  to  send  an  intruder  in  an  attempt  to  dissuade.  The  simplest  of  these 
is  a  routine  warning  message  on  every  sign-on  screen  to  the  effect  that  the 
user  has  become  connected  to  a  private  carputer  system  and  that  attempts  to 
gain  access  without  authority  will  be  considered  trespassing.  This  could 
provide  the  basis  for  later  prosecution,  as  demonstrating  clear  intent  to 
perform  an  illegal  act.  Other  screen  messages  could  be  initiated  once  an 
intrusion  attack  has  been  tentatively  identified,  to  the  effect  that  a  special 
"trace  or  log  mode"  has  been  initiated.  This  would  warn  the  intruder  that  an 
attack  is  suspected  and  is  being  dealt  with. 

4^.4^7  T.lmitdng  Siqn-<»i  Screen  Information.  One  very  iirportant  routine  control 
that  should  be  used  is  to  "camouflage"  the  nature  of  the  ccsrputer  system  and 
organization  from  intruders.  Full  information  about  these  subjects  is  better 
provided  to  people  after  they  have  been  authenticated  as  valid  system  users. 
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The  sign-on  screens  can  be  very  sparse,  with  simple  instructions  given  to  enter 
user  identification  and  password.  The  reason  that  this  should  be  done  is  that 
it  is  extrenely  helpful  to  an  intruder's  attack  to  know  the  nature  of  the 
computer  or  the  organization  that  has  been  reached. 

A^^   A<%ninistrative  Restrictions  on  Dial-D|)  Usage 

A  final  point  is  that  few  coitputer  systems  should  permit  unlimited  dial-up 
access  at  all  times.  Mary  systems  do  not  disable  or  restrict  dial-up  access  at 
night  or  on  weekends,  even  though  this  form  of  access  is  not  even  expected  in 
any  volume  during  these  times.  It  is  also  apparent  from  ej^rience  that  the 
most  likely  times  of  attack  are  these  off-hours.  Dial-up  ports  should  be 
physically  disconnected  or  otherwise  disabled  except  when  actually  needed.  If 
the  system  is  attended  by  an  operator  during  off-hours,  one  effective  procedure 
is  to  require  a  potential  dial-up  user  to  call  the  operator,  give 
identification,  and  arrange  for  access  directly. 
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5.    HRRDWRRE  PRaEECTIQM  OF  OQMPNICaTIONS  PQRIS  AW)  LIMES 


The  preceding  section  discussed  software  and  procedural  techniques  for 
protecting  the  computer  system  from  dial-up  intrusion.  This  section  introduces 
the  topic  of  direct  hardware  protection  of  the  dial-i^)  conmuni cations  link.  In 
this  approach,  as  opposed  to  the  preceding,  the  security  of  the  link  itself  is 
addressed  external  to  the  conputer  hardware  or  software. 

5.1    Benefits  of  Directly  Applying  Protection  to  Ports 

Although  there  are  numerous  trade-offs  in  applying  hardware  security  devices, 
there  are  also  seme  very  significant  advantages.  The  primary  advantage  is  that 
use  of  hardware  protection  permits  less  dependence  on  other  software  or 
procedural  security  mechanisms  in  the  systan.  As  has  been  seen,  many  of  those 
mechanisms  may  not  be  strong  enough  or  may  not  even  be  readily  available  for  a 
specific  computer  system.  There  are  two  other  notable  benefits  to  be  gained  by 
applying  hardware  protection  to  the  communications  link. 

5.1.1  Separaticm  of  Function.  In  using  hardware  security  devices  like  those 
described  in  Sections  6  and  7  of  this  document,  separation  of  function  is 
gained  by: 

o  External ization  of  a  set  of  security  functions  outside  the  machine, 
physically  and  logically  separated  from  the  host.  This  reduces  the  degree  of 
dependency  upon  the  software  and  procedural  controls  present  in  the  system. 

o  Kernel  ization  of  a  portion  of  the  security  functions,  into  a  single 
dedicated  mechanism  for  reduced  and  controlled  access  via  communications.  This 
separation  can  be  further  enhanced  by  giving  direct  responsibility  for  these 
functions  to  communications  personnel  or  the  security  administrator,  instead  of 
to  the  systems  programmers  who  normally  administer  the  technical  aspects  of 
operating  syston  security. 
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5.1.2  Additiogial  Layers  of  Protection.  Installing  hardware  security  devices  on 
the  system's  coMnunications  links  for  the  system  provides  for  formal  protection 
of  the  network  itself.  This  is  a  new  concept  for  ccmmercial  and  unclassified 
systems.  Further,  hardware  protection  is  intended  exclusively  to  grant 
authorization  to  a  single  system  object,  the  communications  port.  Other 
software  and  procedural  security  mechanisms  would  still  te  used.  This  helps  to 
shore  up  the  system's  security  posture  and  reduce  logical  exposure  to  the 
remainder  of  the  system. 

5.2   Three  J^roacbes  to  Oomnunications  Link  Protection 

In  protecting  any  set  of  carmuni cations  ports,  there  are  three  basic  approaches 
that  can  be  taken. 

5.2.1  Manual  Procedures.  The  most  direct  way  to  protect  any  communications 
link  is  siirply  to  keep  it  disabled  except  when  needed.  Manual  procedures  may 
then  be  used  by  computer  operators  to  activate  ports  when  actually  needed, 
typically  in  direct  response  to  a  request  by  a  potential  user  at  the  time  of 
need.  Ihese  manual  procedures  may  involve  turning  on  a  modem,  physically 
connecting  a  plug,  or  throwing  a  switch.  This  approach  may  be  the  cheapest  and 
most  practical  solution  if  the  dial-tp  communications  iiDde  is  used  only  on 
demand  or  for  onergency  work,  e.g.,  a  programmer  doing  a  "fix"  on  a  production 
system  from  hone.  Manual  procedures  are  highly  reccmnended  if  the  system  is 
generally  kept  in  a  high-security  posture,  and  during  periods  when  no  dial-up 
traffic  is  expected,  such  as  evenings  and  weekends. 

5.2.2  The  "One-end  Solution".  This  solution  involves  direct  hardware 
protection  of  only  one  end  of  the  communications  link,  either  on  the  host 
coiputer  or  on  the  user's  terminal.  In  effect,  this  provides  a  separate 
password  on  the  communications  link  itself.  This  approach  will  be  discussed  in 
Section  6. 

5.2.3  The  "two-aid  solution".  More  security  is  gained  by  using  a  matched  set 
of  hard/are  protective  devices  for  both  ends  of  the  dial-up  circuit  (computer 


5-2 


SBCDKmr  POTt  DIAL-UP  LINES 


and  terminal).  Ihese  devices  are  often  "intelligent"  enough  to  corrmunicate 
directly  with  each  other  to  perform  user  authentication  and  other 
canmuni cations  security  functions.    This  approach  is  described  in  Section  7. 

5,2,4  Protection  Alternatives.  The  full  set  of  presently  available  hardware 
communications  protection  device  categories  is  portrayed  in  Figure  5-1.  The 
upper  half  of  that  chart  diagrams  the  two  categories  that  make  up  the  "one-end 
solution,"  and  the  lower  half  shws  the  four  categories  that  comprise  the  "two- 
end  solution."  The  remainder  of  this  document  is  devoted  to  describing  and 
comparing  these  six  categories. 
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Figure  5-1   Hardware  Cciiimunications  Protection  Alternatives 
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6,  cm-Em'  mmcTKMi  gmAmiiEs  md  femdres 

If  the  host  conputer's  internal  software  controls  are  inadequate  to  prevent 
penetration  by  dial-up  intruders,  there  are  a  number  of  external  devices  which 
can  do  this  when  inserted  into  the  canmuni cations  link.  Hie  range  of  these 
devices  is  portrayed  in  Figure  5-1,  Hardware  Communications  Protection 
Alternatives,  Pour  product  information  tables  listing  many  of  these  de^/ioes 
are  included  in  Appendix  A. 

The  first  group  of  devices,  shewn  on  the  upper  portion  of  Figure  5-1,  inproves 
user  access  control  by  performing  a  preliminary  call-screening  or 
authentication  function.  Typically,  such  a  device  is  totally  independent  of 
the  ccnputer.  Devices  in  this  category  are  called  "one-end  solutions",  because 
they  are  used  on  only  one  end  of  the  canmuni  cations  circuit  between  the  host 
and  terminal,  but  not  both. 

Most  versions  of  one-end  protection  devices  are  installed  at  the  host  ccsnputer 
end,  but  sane  newer  devices  are  connected  to  the  user's  terminal.  The 
following  discussion  will  separate  these  devices  into  two  categories.  First, 
the  devices  which  may  be  placed  on  the  host  end  of  the  circuit  will  be 
described.  These  devices  are  properly  called  "port  protection  devices",  or 
EPDs.  Second,  a  newer  and  more  flexible  type  of  device,  called  oontrolled- 
acoess  "security  modems"  will  also  be  covered. 

6.1   Protecting  Comp.i^*>rsf  vrc^  the  Host  End  —  Port  Protection 

A  port  protection  device  (PPD)  is  an  external  device  fitted  to  a  canmuni cations 
port  of  a  host  computer,  intended  to  provide  the  function  of  authorizing  user 
access  to  the  port  itself,  prior  to  and  independent  of  the  corputer's  own 
access  control  functions.  It  is  specifically  designed  to  help  control  terminal 
access  when  dial-up  conmunications  are  used.  See  Figure  6-1  for  a  diagram  of  a 
dial-up  circuit  with  PPD  installed. 
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Figure  6-1   Dial-Up  Circuit  —  With  Host  Port  Protection 

A  PPD  may  be  cSesigned  to  perform  its  function  on  the  digital  signal  emanating 
fron  host  or  terminal,  or  it  may  be  placed  on  the  "analog  side",  between  modem 
and  telephone  set.  Sane  versions  are  even  incorporated  directly  into  a  modem, 
as  parts  of  a  single  unit.  There  are  various  reasons  for  these  placements, 
depending  upon  system  configuration  and  security  needs.  Ihese  reasons  will  be 
discussed  later  in  the  section. 

See  Table  1  in  i^pendix  A  for  a  list  of  presently-available  PPDs  and  their 
vendors.    The  four  primary  features  of  PPDs  are  described  below. 

6,1.1  Password  Tables.  All  PPDs  require  the  user  to  enter  a  separate 
authenticator  (in  other  words,  a  password)  in  order  to  access  the  computer's 
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dial-up  ports.  This  set  of  password  tables  external  to  and  independent  of  the 
computer's  operating  systen  is  characteristic  of  PPDs  and  is  available  on  all 
models.  This  feature  is  the  primary  protection  given  by  PPDs.  All  of  these 
devices  can  be  viewed  as  establishing  password  protection  over  the  ccmputer's 
ports.  All  have  mechanisms  to  limit  tlie  number  of  sign-on  attempts  per 
telephone  connection,  in  order  to  deter  "brute  force"  attacks. 

6.1.2  raJJ-tiarJc  to  Call  Originator.  Some  users  erroneously  describe  all  PFDs 
as  "call-back  devices".  Most  PPDs  do  not  have  that  capability.  Call-back  or 
dial -back  to  the  call  originator  is  a  second  level  of  user  authentication 
beyond  the  standard  PPD  password  table.  In  effect,  this  provides  a  second 
hurdle  for  the  potential  user  to  surmount  before  gaining  system  access.  If 
call-back  is  used,  a  typical  sequence  of  user  connection  is  as  follows;  The 
user  dials  the  carputer  access  number  and  is  connected  to  the  PPD,  The  PPD 
requires  the  user  to  enter  a  PPD  table  password,  and  then  hangs  up  the  line. 
The  PPD  searches  its  table  and,  if  the  password  is  found,  identifies  the  user's 
telephone  number  that  matches  the  password.  The  PPD  then  makes  a  return  call 
to  the  user.  Once  connection  takes  place,  the  PPD  becomes  passive  in  the 
circuit. 

6.1.3  HidiiKi  the  Port's  Existence.  A  PPD  may.  "camouflage"  the  computer's 
dial-up  ports  so  that  the  identity  or  even  existence  of  the  computer  is  not 
evident  to  an  unauthorized  caller.  This  is  caranonly  a  side-effect  of  sane 
password  entry  methods,  but  may  be  separately  engineered.  Some  PPDs,  which  use 
"analog-side"  placement  in  the  circuit,  respond  with  a  synthesized  voice  v^en 
the  user  connects  to  them.  This  hides  the  characteristic  modem  tone  that 
intruders  look  for  when  they  sequentially  dial  a  series  of  telephone  numbers 
for  candidate  computers  to  penetrate.  Other  PPDs,  which  are  placed  on  the 
digital  side  of  the  modem,  may  send  special  screen  displays  to  the  user's 
terminal  that  are  either  blank  or  ambiguous,  and  which  require  the  user  to  knew 
what  to  do  next  to  gain  access  to  the  system.  By  doing  so,  they  do  not  give 
away  the  kind  of  computer  they  are  protecting,  which  is  vital  information 
needed  by  the  intruder  to  carry  out  his  attack. 
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6.1,4  Journalling  of  Security  Events.  Many  models  of  PED  provide  some  form  of 
logging  or  other  warning  signal  of  dial-up  attack.  This  varies  all  the  way 
from  display  lights  on  the  front  panel  of  the  device  to  the  use  of  a  dedicated 
personal  computer's  disk  files  to  record  all  types  of  user  connection 
information.  Information  that  should  be  logged  for  a  given  system  varies  with 
the  sophistication  of  system  and  local  administrative  requirements.  For 
example,  systems  which  use  the  call-back  approach  may  need  to  record  enough 
information  to  generate  telephone  usage  bills  to  system  users,  because  the  host 
incurs  all  telephone  toll  charges  with  this  approach. 


6,2    Protfichinq  Cranputers  from  the  Terminal  End  ■— 
Oontrolled-Access  Security  Modems 

Several  new  devices  represent  another  approach  to  dial-up  protection.  Th^  are 
part  of  the  trend  towards  integration  of  security  features  into  standard 
devices.  These  devices,  called  "security  modems",  are  intended  for 
installation  on  user  terminals.  They  incorporate  a  set  of  outbound 
call-screening  security  functions  into  a  standard  single-user  modem,  in  effect 
controlling  access  to  the  host  fran  the  user  end. 

Recent  product  announcements  indicate  that  modem  manufacturers  have  discovered 
the  marketability  of  embedded  security  features.  Several  major  vendors  have 
added  security  into  their  modems,  often  at  no  apparent  increase  in  cost.  See 
Table  2  at  Appendix  A  for  a  list  of  con tr oiled-access  security  modems  and 
vendors. 

Features  that  are  characteristic  of  these  modems  include  the  following.  The^ 
will  not  operate  as  normal  modons  for  dial-out  purposes  until  the  user  enters  a 
specified  password.  Inside  the  modem,  these  passwords  are  matched  in  a  secured 
table  with  dial-out  telephone  number  sequences  necessary  to  connect  the  user  to 
specified  host  computers.  The  table  also  can  be  used  to  transmit  a  complete 
log-on  sequence  to  the  host  once  connection  is  made. 
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This  simplifies  the  job  of  dial-up  connection  for  users,  because  all  they  have 
to  do  is  enter  the  appropriate  password  into  their  terminal.  The  unit  will 
then  automatically  dial  the  carputer  and  make  connection  with  a  pre-selected 
user  account.  Users  normally  have  no  control  over  the  connection  information 
stored  in  the  security  modems.  The  security  administrator  can  telej±ione  these 
units  and  change  this  information  whenever  desired. 


\ 
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7,    IWD-BiP"  PROEBCTICTJ  APPRQRCHES 
FDR  AEDITIOiiAL  DIAL-UP  OOMMDRCOVTIDNS  SBOmTY 

Ihe  "one-end"  security  devices  discussed  in  Section  6  were  designed  to  improve 
dial-up  access  control  by  giving  the  communications  port  a  password  screening 
capability.  In  higher-security  ^sterns,  this  level  of  control  may  still  seem 
inadequate.  More  positive  identification  of  the  specific  terminal  or  user  may 
be  desired.  A  measure  of  resistance  to  snooping  or  tampering  with 
communications  traffic  may  also  be  needed.  In  these  cases,  the  "two-end" 
approach  is  required.  In  this  approach,  there  is  a  security  device  attached  to 
or  used  with  each  user  terminal  plus  a  matching  device  or  comparable 
application  software  used  by  the  host  conputer.  Ihe  four  types  of  devices  that 
belong  to  the  two-end  solution  family  are  portrayed  on  the  Icwer  half  of  Figure 
5-1. 

7,1    Increased  Security  With  IWo-esnd  Devices 

When  the  "two-end"  security  device  approach  is  used,  the  level  of 
communications  security  can  rise  markedly  and  some  aspects  of  user  convenience 
may  improve,  but  these  often  are  accompanied  by  a  substantial  increase  in  cost 
and  other  drawbacks.  Further,  there  may  siirply  be  no  risk  basis  for  installing 
that  degree  of  security  in  a  given  system.  All  these  issues  must  be  examined 
before  any  purchase  decision  is  made. 

7.1.1  Degree  of  AdditiCTwJ,  flpnirjty  Afforded.  Most  of  the  techniques  used  for 
"two-end"  security  involve  the  use  of  highly  complex  algorithms  uniquely 
associated  with  specific  terminals  or  users.  The  idea  behind  using  these 
unique  algorithms  is  that  the  hardware  or  software  at  the  host  corputer  end 
"knows"  what  algorithm  is  associated  with  each  user  or  terminal.  Ihe  host  can 
use  this  algorithm  to  perform  a  certain  mathematical  conputation  and  then 
challenge  the  user  or  terminal  device  to  do  the  same.  If  the  response 
generated  at  the  user  terminal  end  matches  that  generated  by  the  host  end,  then 
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the  host  has  authenticated  the  identity  of  the  canmunicating  party  with  a  high 
degree  of  certainty.  This  "challenge- response"  approach  does  not  require  the 
user  to  remember  anything  which  may  be  written  down  or  given  to  scneone  else. 
The  authenticator  devices  are  constructed  in  ways  that  prevent  copying  of  the 
algorithm.  However,  the  devices  are  still  subject  to  being  loaned,  lost  or 
stolen. 

7,1.2  Tradeoffs  in  Cost  and  Flexibility.  The  "two-end"  approach  requires  that 
each  dial-up  user  or  terminal  possess  an  authentication  device  and  that  the 
host  computer  has  another  device  or  special  software  at  its  end.  This 
substantially  increases  the  cost  to  secure  a  dial-up  network.  Hie  costs  for 
these  ^stems  vary  widely  according  to  level  of  security  provided  and  other 
features.  Costs  can  range  as  high  as  $6,000  per  user-host  link  if 
sophisticated  concealment  of  the  traffic  is  needed  in  addition  to  access 
control.  Most  of  the  user  or  terminal  authentication  devices  cost  between  $50 
and  $100  per  user,  plus  the  equiponent  or  software  required  at  the  host  end. 

IWo-end  security  devices  can  be  separated  into  the  challenge-response  types 
which  provide  user  or  terminal  authentication  (access  control)  and  those  which 
offer  concealment  safeguards  against  eavesdropping  (encryption)  or  tampering 
(message  authentication) .  The  latter  two  also  inherently  provide  a  strong 
access  control  function.  The  potential  purchaser  must  determine  whether  the 
concealment  function  is  necessary. 

Devices  in  the  "two-end"  category  are  generally  easier  to  use  than  the 
"one-end",  primarily  because  no  passwords  must  be  remembered  and  connection 
delays  can  be  shorter.  On  the  other  hand,  the  approach  is  more  complex.  There 
are  more  items  to  break,  become  misplaced,  install,  and  maintain. 

7.2   User  Authentication  Tokens" 

The  first  group  of  devices  belonging  to  the  two-end  challenge- response  approach 
perform  highly  secure  authentication  of  system  users.    Ihe  ten  devices  falling 
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into  this  category  that  are  presently  available  are  listed  in  Table  3  of 
i^pendix  A. 

Several  new  access  control  devices  are  based  on  the  concept  of  a  unique  "token" 
to  be  used  as  an  authenticator  for  each  user,  somewhat  like  a  mechanical 
password.  A  token  is  a  small  item,  such  as  a  plastic  "smart-card",  given  to 
each  authorized  system  user  that  must  be  used  to  gain  access  to  the  system. 
Each  token  has  a  special  algorithm  or  some  other  unique  and  non-copyable 
identifier  embedded  in  it,  Uie  host  carputer  can  challenge  the  user  in  some 
way  that  can  only  be  responded  to  correctly  by  means  of  the  token. 

There  are  two  varieties  of  user  authentication  tokens.  The  simpler  and  cheaper 
variety  is  hand-held  and  requires  no  terminal  attachments.  This  type  of  token 
may  take  various  forms.  Seme  examples  now  on  the  market  include  a  calculator 
with  special  circuitry,  a  "smart"  plastic  card  which  displays  a  time-based 
authenticator  continuously,  and  a  light-sensitive  wand  which  is  designed  to 
read  and  interpret  special  terminal  displays  sent  by  the  host. 

With  this  first  variety,  the  user  must  read  the  authentication  information  from 
a  liquid  crystal  display  (LCD)  on  the  token  and  then  enter  it  as  a  response  via 
the  terminal  when  challenged.  In  sane  cases,  the  user  must  first  read  a 
challenge  string  on  the  terminal  and  enter  it  into  the  token  via  keys.  The 
host  reads  the  authentication  information  and  compares  it  to  the  "right"  answer 
it  has  generated  before  deciding  to  approve  access. 

The  second  variety  of  user  authentication  is  simpler  to  use  but  may  be  more 
costly.  It  requires  the  user  to  place  his  or  her  token  into  a  device  connected 
to  the  terminal.  This  attachment  can  accept  the  challenge  from  the  host,  use 
the  algorithm  in  the  token  to  perform  the  required  calculations,  and  then 
transmit  the  response  to  the  host  for  verification.  The  token  can  take  the 
form  of  a  small  plastic  device  with  embedded  microcircuitry,  or  in  a  sonewhat 
less  secure  approach  it  can  be  a  plastic  card  with  a  magnetic  stripe. 
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The  second  type  of  device  in  the  two-end  solution  family  performs  challenge- 
response  authentication  of  the  specific  user  terminal.  Some  terminal 
authentication  devices  are  very  similar  in  operation  to  user  authenticators. 
These  devices  are  listed  in  Table  4  of  /^pendix  A. 

Often,  terminals  are  used  in  a  dial-up  mode  that  are  well  protected  from 
outsiders  ty  a  physical  security  perimeter.  For  some  of  these  terminals, 
normal  system  log-on  procedures  may  be  sufficient  to  identify  individual  users, 
but  it  would  be  valuable  to  verify  and  record  which  user  terminal  is  being  used 
and,  for  fixed  terminals,  vAiere  it  is  located.  There  are  three  basic  methods 
for  positively  identifying  the  user  terminal  by  "two-end"  challenge- response 
techniques. 

Many  standard  terminals  or  workstations  already  have  internal  circuitry  that 
supports  assignment  of  unique  terminal  identifiers.  This  capability  is  also 
called  "answer-back  memory".  These  identifiers  either  are  fixed  and 
pre-assigned  (hard-wired)  or,  more  commonly,  are  special  memory  locations  in 
firmware  that  can  be  changed  to  the  desired  code  sequence  during  terminal 
set-up.  It  is  usually  possible  to  conceal  this  code  once  it  is  entered  so  that 
it  cannot  be  read  or  copied  by  the  user. 

The  host  system  can  use  this  feature  by  sending  a  standard  ASCII  code  (ENQUIRE) 
as  a  challenge  to  the  terminal  that  will  cause  it  to  respond  with  the 
"answer-back  memory"  contents  for  authentication.  Sane  conmercial  software 
telecommunications  packages  for  personal  computers  have  provisions  to  emulate 
this  feature.    Also,  sane  modems  have  the  feature  built-in. 

A  second  approach  to  terminal  identification  uses  matching  pairs  of  devices 
that  are  inserted  in  the  canmuni cations  circuit.  One  device  is  placed  between 
the  terminal  and  modem,  and  the  other  is  attached  to  the  host  computer's  port. 
As  an  example,  one  product  ncM  on  the  market  includes  a  four-port  unit  for  the 
host  end  which  is  able  to  generate  challenges  to  the  small  portable  units  that 
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connect  to  the  teminals.  Each  terminal  unit  is  uniquely  encoded  by  the  host 
unit,  and  can  be  re-coded  at  any  time.  The  terminal  units  for  this  model  also 
require  physical  unlocking  by  means  of  a  standard  brass  key  prior  to  use. 

In  a  third  approach,  hybrid  versions  of  terminal  authenticators  are  also 
available,  which  include  the  capability  to  authenticate  each  user  at  the  same 
time.  A  newer  version  of  the  unit  just  described  has  a  slot  where  each  user  is 
to  insert  a  magnetic  striped  card.  Another  popular  product  uses  a  similar 
method,  in  which  each  user  must  insert  a  thick  plastic  card  with  embedded 
identification  circuitry  into  the  unique  terminal  unit. 

7.4    Line  EncryptiCTi  Devices 

Encryption  is  the  process  of  "scrambling"  information  in  a  pre-determined  way 
so  that  it  is  unintelligible  to  anyone  who  does  not  knew  hew  to  "unscramble" 
it.  This  process  has  been  used  by  governments  for  centuries  to  protect  secrets 
while  in  transnission,  but  has  been  little  used  elsewhere.  Increasingly 
sophisticated  ways  have  been  invented  to  do  encryption,  because  attempts  are 
always  being  made  by  intruders  to  "break  the  code".  The  newer  encryption 
methods  can  only  be  done  efficiently  by  computers  or  special  microcircuitry. 

There  is  a  standard  method  that  was  developed  under  the  sponsorship  of  ^BS  for 
use  within  the  Federal  Government  and  elsewhere,  called  the  Data  Encryption 
Standard  (more  conmonly  referred  to  as  DES) .  See  [FEPS46] ,  [FTPS? 4] ,  [FEPS81] , 
and  [NBS78A]  for  detailed  information  on  DES  and  how  to  use  it.  This  method 
uses  a  highly  complex  algorithm  that  has  been  demonstrated  to  be  mathematically 
very  strong.  DES  requires  the  entry  of  a  64-bit  "key"  sequence,  of  which  56 
bits  are  used  for  encryption  and  decryption.  Since  each  bit  can  be  "on"  or 
"off",  this  makes  an  extronely  large  number  of  keys  possible,  wherein  lies  the 
strength  of  DES.  It  is  infeasible  to  use  even  computerized  brute:  force 
techniques  to  discover  the  key  used  to  encrypt  a  given  message  with  DES. 

The  use  of  encryption  techniques  for  dial-up  cemmuni cations  represents  the 
highest  form  of  security  which  can  be  applied  to  it.    Encryption  has  several 
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attributes  which  cover  inost  ccmmuni cations  security  needs.  First,  it  protects 
the  confidentiality  of  information  passing  over  the  communications  link  by 
making  it  unintelligible  to  snoopers.  This  is  the  primary  rationale  for  using 
encryption. 

Second,  certain  modes  of  DES  operation,  e.g. ,  cipher  block  chaining  [FIRS81] , 
when  combined  with  an  authentication  technique,  can  be  used  to  protect  the 
integrity  of  messages,  so  that  tampering  or  trananission  errors  can  be 
identified.    See  Section  7.5  on  message  authentication. 

Third,  the  uniqueness  of  the  encryption  key  which  must  be  shared  by  sender  and 
receiver  enforces  an  extremely  hi^  degree  of  user  identification.  If  both 
sender  and  receiver  share  a  single  key,  they  must  have  exchanged  it  or  been 
assigned  it  by  a  third  party. 

There  is  one  common  problem  with  communications  encryption.  If  the  key  used  by 
sender  and  receiver  is  the  only  real  security,  then  the  security  surrounding 
the  procedure  used  to  exchange  the  key  between  them  becomes  extremely 
important.  Most  present  encryption  systons  rely  on  the  users  to  transfer  keys 
manually  in  sane  way,  which  may  or  may  not  be  secure.  The  intruder  may  have  an 
opportunity  to  intercept  the  key  while  it  is  in  transit.  The  level  of  security 
afforded  by  encryption  is  dependent  upon  the  security  of  managing  the 
enc^tion  keys. 

7.4,1  An  Innovative  Encryption  Approach.  There  are  numerous  encryption 
products  on  the  market.  One  pranising  device  makes  encryption  more  practical 
because  it  manages  keys  autanatically.  This  unit  uses  drop-in  circuit  boards 
for  IBM  PCs  to  create  a  secure  dial-up  network.  Boards  are  pre-programmed  by 
the  syston  security  administrator  with  a  profile  that  specifies  which  of  the 
other  stations  on  the  network  each  user  may  contact.  The  boards  contain 
encryption  circuitry,  a  microprocessor  with  secured  memory,  and  a  standard 
modem  with  both  auto-answer  and  auto-dial  capabilities.  The  boards  can 
communicate  with  each  other  in  a  secure  way  to  exchange  encryption  keys  to  be 
used  for  a  single  communications  session.  If  one  user  wants  to  connect  with 
another  to  exchange  sensitive  information,  the  user  calls  up  a  special  program 
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and  requests  connection.  The  board  then  determines  whether  the  user  may  make 
the  connection.  If  so,  the  board  places  a  telephone  call  to  the  other  system's 
board,  exchanges  session  keys  encrypted  in  a  hi^er-level  encryption  key  the 
two  boards  share,  and  enters  into  the  communications  session  with  the  session 
keys  operative. 

7,4.2  Bicrypbion  Hardware.  No  product  list  for  encryption  hardware  has  been 
included.  There  are  numerous  manufacturers  of  these  devices,  and  it  is  not 
practical  to  list  them  all.  Encryption  devices  typically  take  one  of  two 
forms.  In  the  traditional  form  used  for  line  encryption,  the  circuitry  is 
enclosed  in  a  small  box  that  is  connected  in  series  between  the  port  and  the 
modem,  on  either  end  of  the  canmuni cations  circuit.  In  the  newer  form, 
designed  for  PCs,  all  circuitry  is  contained  on  a  single  circuit  board  that  is 
plugged  into  one  of  the  standard  slots  on  the  backplane,  inside  the  conputer 
housing.  For  the  latter  form,  it  is  usually  possible  to  use  the  capabilities 
of  the  circuit  board  for  encryption  of  internal  files,  in  addition  to  using  it 
for  canmuni cations. 

7«5   Message  Autl^nbicatiCTi  Methods 

One  "two-end"  dial-up  security  approach  has  been  designed  specifically  for 
electronic  funds  transfer  (EFT) ,  although  these  devices  can  readily  be  used  in 
other  applications.  In  EFT,  it  is  important  to  verify  that  the  contents  of  a 
message  have  not  been  changed,  because  these  messages  are  in  effect  electronic 
checks  which  are  subject  to  fraud  or  embezzlonent. 

The  banking  industry,  in  conjunction  with  NBS  and  the  American  National 
Standards  Institute  (ANSI)  ,  has  developed  ANSI  Standard  X9.9  for  Message 
Authentication  in  EFT.  This  standard  uses  the  DES  to  authenticate  selected 
fields  in  an  EET  message,  or  alternatively  the  entire  message,  to  ensure  that 
the  message  is  not  altered  in  transit.  A  message  authentication  code  (MAC)  is 
calculated  as  a  cryptographic  function  of  the  clear-text  message.  The  MAC  is 
then  appended  to  the  clear-text  message  to  serve  as  a  cryptographic  checksum. 
The  MAC  may  then  be  checked  by  the  recipient  by  duplicating  the  original  MAC 
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generation  process.  See  [FIPS113]  for  a  description  of  the  authentication 
process. 

Hhe  same  process  of  generating  a  verifiable  seal  against  tampering  could  be 
used  effectively  in  a  number  of  business  applications.     See   [FIPS113]  and 
[^BS79]   for  description  of  the  way  this  process,  called  data  authentication, 
works. 

No  product  tables  are  inducted  for  message  authentication  devices. 
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8.   RsnniwRiron  ^T?n»?^  OF  action 

A  number  of  different  alternatives  for  iniproving  dial-up  security  via  add-on 
devices  have  been  presented.  It  is  important  to  detennine  which,  if  any,  of 
the  devices  can  help  the  organization  enough  to  warrant  purchasing  them.  Each 
device  provides  enhanced  dial-up  security  at  some  cost,  in  real  dollars  or  in 
efficiency. 

Determining  dial-up  security  needs  can  be  a  very  complex  process.  Few  persons 
outside  of  the  military  establishment  are  trained  to  make  decisions  about 
communications  security.  This  section  provides  some  help  in  making  the  right 
dial-up  security  decision.  Ihe  following  set  of  evaluative  questions  should 
help  focus  the  decision  process  and  aid  the  system  manager  to  settle  upon  a 
final  course  of  action: 

8.1   Does  the  Oonputer  System  Need  Better  Dial-up  Security? 

The  first  question  to  ask  is:  "How  bad  off  are  we  now?"  The  following 
criteria  are  suggested  to  help  determine  whether  the  computer  system  even  needs 
si$)plemental  dial-up  communications  security  devices. 

8.1.1  Defining  Secairity  Requirements  for  ipfnrmai-ifHi  Flowing  on  Dial-up 
Circuits.  There  are  three  inpact  factors  which  can  be  used  to  detennine 
security  requirements  for  collections  of  information  or  the  systems  which 
process  then.  The  first  is  sensitivity  to  disclosure,  the  negative  inpact  that 
could  occur  if  the  information  in  the  system  were  disclosed  to  unauthorized 
persons,  such  as  dial-up  intruders.  The  second  measure  is  availability,  the 
impact  on  the  organization  if  the  information  or  processing  system  is  not 
available  within  a  specified  period  of  time.  The  third  security  measurement 
factor  is  integrity.  If  the  information  must  have  a  high  degree  of  freedom 
from  error  to  be  useful  or  if  it  may  be  the  target  of  fraudulent  modification, 
this  factor  is  involved. 


8-1 


SBCORITy  FOR  DIAL-UP  LINES 


8,1,2    Characteristics  of  a  Dial-up  Circuit  Needing  ComMmications  Security. 

Dial-i:^)  canmunications  security  devices  can  reduce  organizational  impact  from 
all  three  security  factors  noted  above,  especially  sensitivity  and  integrity. 
If  the  current  resistance  of  the  host  system's  operating  syston  to  outside 
penetration  is  lew,  then  the  potential  exposure  via  dial-up  communications 
networks  may  be  high.  This  is  particularly  true  if  information  tranannitted  is 
very  sensitive.  If  intruders  could  gain  access  to  the  system  to  affect  it  or 
if  they  could  tap  or  interfere  with  canmunications  and  thereby  cause  harm,  then 
additional  security  protection  is  probably  needed. 

A  dial-up  circuit  needing  strong  caranunications  security  is  one  that  has  one  or 
more  of  the  following  characteristics:  It  handles  data  that  must  not  be 
modified  or  disclosed,  it  supports  processes  with  great  time  sensitivity,  or  it 
permits  easy  access  to  fragile  data  bases  or  files  that  must  not  be  modified 
improperly. 


8,2   If  Better  Security  Is  Needed,  Is  One-end  or  afao-^end  Best? 

Once  management  has  determined  that  dial-up  security  devices  are  required  in 
order  to  shore  up  communications  security  capability,  the  next  decision  is 
about  the  general  type  of  device.  Ihe  following  criteria  are  suggested  to  help 
decide  whether  the  one-end  (host  or  terminal  port  protection  devices)  or  one  of 
the  two-end  types  of  mechanism  is  best  for  meeting  the  computer  system's 
security  needs: 

8,2.1  Integrity  and  Sensitivity  to  Disclosure.  When  the  information  that  may 
be  accessed  by  dial-up  is  very  sensitive  to  disclosure  or  fraudulent 
modification,  one  of  the  two-end  approaches  which  involves  encryption  should  be 
used.  For  information  with  low  to  moderate  in  sensitivity,  then  a  one-end 
approach  which  provides  extra  ability  to  screen  out  intruders  via  access 
control  barriers  may  be  appropriate. 
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8.2.2  User  Rssistanoe  to  Rememjjerinq  More  Passwords.  In  the  case  where  users 
are  highly  resistant  to  remembering  extra  passvvords  for  access  control,  then 
one  of  the  two-end  approaches  which  performs  user  or  terminal  authentication 
via  a  token  or  an  add-on  box  may  be  appropriate.  Possession  of  the  token  is 
functionally  identical  to  remanbering  a  password. 

8.2.3  User  Resistance  to  Connection  Delays.  When  higher  levels  of  user 
authentication  are  required,  but  users  are  resistant  to  delays  in  connecting  to 
tlie  syston,  one  of  the  two-end  devices,  a  terminal  security  modem,  or  a  PH) 
without  call-back  may  be  appropriate.  None  of  the  two-end  approaches  use  the 
time  consuming  call-back  approach,  but  some  of  then  induce  their  own  form  of 
user  connection  delays  by  requiring  the  user  to  receive  a  challenge,  process  it 
with  the  token,  and  then  enter  the  result  on  the  keyboard. 

8.3    If  PEPS  Are  Desired,  What  Features  Are  Needed? 

When  additional  security  should  be  in  the  form  of  a  lew  to  moderate  improvement 
in  user  access  control  (identification  and  authentication),  port  protection 
devices  (PPDs)  or  security  modems  may  be  needed.  The  following  criteria  are 
useful  for  selection  and  application  of  PPDs: 

8.3.1  Access  Security  Versus  Password  Bitry  Methods.  There  are  three  basic 
methods  of  entering  the  password  into  a  PPD,  each  with  its  own  security  or 
convenience  considerations.  Sane  units  require  the  user  to  respond  with  voice 
to  challenges,  in  such  a  way  that  a  numeric  password  is  formed.  This  is 
time-consuming  and  will  not  be  appropriate  for  users  who  use  direct-connect 
modems  instead  of  telephone  sets.  Similar  units  require  the  user  to  enter  a 
numeric  password  via  the  telephone  keypad.  The  problems  with  this  approach  are 
that  sane  terminals  may  not  have  keypads,  and  more  importantly,  the  numeric 
password  does  not  have  enough  possible  variations  to  be  highly  secure.  On  the 
other  hand,  the  voice  and  keypad  methods  do  hide  the  host's  modem  tone  fron 
intruders. 
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The  third  method  of  password  entry  is  via  the  user's  termirial  keyboard.  This 
approach  permits  far  stronger  passwords  to  be  created,  because  any  character  of 
the  password  can  be  any  one  of  the  128  characters  in  the  ASCII  character  set. 
Even  terminals  with  direct-oonnect  modems  can  use  this  method.  The  host  port's 
modem  tone  can  be  heard  upon  connection,  but  the  password  strength  and  the 
ability  of  this  type  of  PPD  to  camouflage  the  type  of  host  corputer  being 
accessed  should  be  sufficient  to  thwart  penetration  attempts,  though  it  may  not 
deter  them. 

8.3,2  Security  Evaluaticai  of  various  Features.  TVo  PPD  features  that  are 
either  standard  or  optional  merit  special  discussion.  An  important  feature 
that  all  units  share  is  the  procedure  for  changing  security  tables. 
Low-security  PPDs  permit  this  to  be  done  either  manually  or  via  a  connected 
terminal  with  no  special  external  security  controls.  Higher  security  devices 
require  a  special  password  plus  a  physical  key  to  enter  the  device  into 
supervisory  mode  for  table  maintenance. 

One  controversial  feature  of  many  PPDs  that  gives  additional  protection  but  has 
numerous  drawbacks  is  call-back.  Once  almost  synonymous  with  PPDs,  call-back 
can  serve  as  a  second  password  hurdle,  but  in  many  systems  the  users  may  call 
in  from  any  of  a  number  of  possible  telephone  numbers.  Also,  if  the  first  PPD 
password  procedure  is  strong,  the  second  hurdle  may  not  be  needed  unless 
managenent  wants  to  strongly  control  the  locations  that  dial-up  users  may  call 
from.  Major  drawbacks  include  user  connection  delays,  reversal  of  toll 
charges,  and  increased  security  table  administration  problems.  A  further 
potential  problem  is  that  hackers  have  identified  a  strategy  for  penetrating 
certain  PPDs  ty  exploiting  the  way  that  these  devices  perform  the  call-back 
process.  It  is  useful  to  note  that  all  of  the  newer  "high-end"  PPDs  either  do 
not  use  call-back  or  make  its  use  optional. 
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8.4  If  T\ro-€nd  Security  Is  Needed,  What  Approach  Is  Best? 

When  the  user  authentication  features  of  the  PPD  or  security  modem  do  not  meet 
the  security  requirements  of  the  dial-up  communications  network,  one  of  the 
four  two-end  security  device  approaches  may  be  appropriate. 

8.4.1  Information  Sensitivity.  If  the  information  transmitted  on  the  dial-up 
network  is  so  sensitive  to  disclosure  that  it  should  be  protected  against 
wiretaps,  the  best  solution  is  sane  form  of  line  encryption. 

8.4.2  Information  Integrity .  If  it  is  important  to  make  certain  that 
information  is  communicated  via  dial-up  lines  without  modification,  then  the 
best  solution  is  to  use  message  or  data  authentication  via  a  hardware  device 
that  performs  the  MAC  generation  process. 

8.4.3  Terminal  Location.  If  it  is  important  to  know  that  a  specific  terminal 
device  is  being  used  or  that  the  communications  come  from  a  specific  location, 
the  best  solution  is  use  of  existing  terminal  authentication  capability  (if 
available  on  presently  installed  user  terminals)  or  a  terminal  authentication 
device.  Hcwever,  if  all  that  is  needed  is  a  check  on  the  originating  location 
of  the  call,  a  PPD  with  call-back  will  also  do  the  same  job,  possibly  at  less 
cost. 

8.4.4  Qser  Identification.  If  it  is  necessary  to  knew  with  sane  certainty 
that  a  specific  individual  is  accessing  the  system,  one  of  the  various  user 
authentication  "token"  devices  will  meet  this  need.  Line  encryption  can  also 
help,  if  the  user  is  required  to  enter  an  encryption  key  in  order  to  use  the 
device. 

8.5  What  Are  the  Tradeoffs  in  Adding  Dial-t:p  Security  Devices? 

The  prospective  buyer  of  hardware  for  communications  protection  should 
carefully  consider  the  adverse  impact  of  installing  these  devices  in  the 
organization.    This  impact  can  arise  fron  the  factors  discussed  below.  In 
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addition  to  those  factors,  seme  in  the  organization  may  view  the  corputer  and 
its  associated  security  requirements  (personified  ty  the  system  security 
administrator)  a  hindrance  to  workers  trying  to  get  their  job  done.  Additional 
security  measures  must  be  fully  justified  ty  tlie  level  of  risk  to  the  system. 
It  is  equally  important  that  users  be  well  educated  on  these  risks  and  the 
clear  need  for  additional  security  mechanisms. 

8.5.1  User  Gonyeni^ioe  and  Enhanoed  Security.  Users  may  understandably  resist 
the  requiranent  for  remonbering  additional  passwords  for  PPDs  or  security 
modems.  The  typical  user  may  perceive  the  requirement  to  carry  around  an 
authentication  token,  such  as  a  card  or  wand,  as  a  nuisance.  The  set  of 
administrative  procedures  associated  with  maintaining  seme  manual  forms  of 
encryption  key  managanent  is  even  more  onerous.  Ihere  is  a  danger  that  any  of 
these  additional  requirements  imposed  for  the  sake  of  security  may  be 
unnecessarily  burcfensome  unless  they  are  clearly  necessary  due  to  system  risks. 

Similarly,  any  form  of  connection  delays  due  to  security  will  often  not  be 
taken  kindly.  These  delays  will  be  induced  ty  the  call-back  procedures  used  by 
some  PPDs.  Other  procedures,  such  as  the  manual  entry  of  an  identification 
string  generated  fcy  a  hand-held  authenticator  token,  will  also  generate 
connection  delays  of  a  minute  or  so.  Granted,  a  minute  extra  per  connection 
mai  not  seem  like  much,  but  it  is  strictly  overhead  and  must  be  justified  in 
the  users'  minds  as  a  valid  inposition  on  theie  ability  to  get  their  work 
done, 

8.5.2  System  Management  Effectiveness  and  aihanced  Security.  When  system 
security  weaknesses  are  examined  closely,  the  most  ccmmon  problems  are  usually 
administrative.  In  other  words,  more  security  potential  is  typically  available 
in  a  systen  than  the  people  who  manage  the  systan  use  effectively.  This  is 
especially  true  of  the  user  account  name  (USERID)  and  password  scheme.  The 
issue  boils  dcwn  to  people  problems.  Imposing  hardware  protective  devices 
typically  will  not  cure  that  malady.  Rather,  this  new  approach  may  make  it 
worse. 
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For  example,  consider  what  happens  when  an  organization  decides  to  install  PPDs 
on  the  numerous  dial- in  lines  attached  to  its  primary  conputer.  Immediately,  a 
new  set  of  problans  will  surface.  Perhaps  the  most  obvious  of  these  is  the 
problon  of  managing  an  additional  access  control  (password)  system,  separate 
from  that  used  by  the  host  carputer.  The  procedures  for  assigning  and  changing 
passwords  for  PPDs  should  be  rigorous,  otherwise  the  real  protection  they  can 
offer  will  be  reduced.  Usually,  this  means  that  more  people  will  be  needed  to 
administer  the  system.  This  will  be  especially  true  if  the  organization  takes 
this  opportunity  to  separate  out  the  communications  security  function  fron  the 
carputer  security  function. 

Communications  protection  devices  typically  cost  several  hundred  dollars  per 
line.  Uie  bare  minimum  cost  per  port  to  install  hardware  protection  seans  to 
be  about  $200,  and  it  can  range  into  the  thousands,  depending  upon  approach  and 
level  of  security  desired.  Along  with  this  initial  capital  cost  is  the 
recurring  cost  of  maintaining  and  repairing  the  devices.  Other  direct  ard 
indirect  dollar  costs  imposed  by  these  devices  may  inclucfe  the  follcwing: 

a  User  inefficiency  (one  minute  per  connection  times  many  connections  per  year 
adds  up  quickly  in  terms  of  salary) . 

a   Computer  processing  delay  while  user  or  terminal  authentication  takes  place. 

B  Increased  host  computer  telephone  bill  because  call-back  procedures  require 
session  connections  to  originate  at  the  host  end. 

All  of  the  costs  involved  must  be  identified  and  estimated  to  determine  the 
true  cost  of  installing  additional  dial-up  security  protection.  This  final 
cost  should  then  be  compared  to  an  estimate  of  present  risk  from  damage  due  to 
dial-up  intruders,  to  evaluate  v^ether  the  new  devices  are  warranted. 
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9.    SCTtgvpy  AWP  (CTCLOglQSS 

Both  one  and  two-end  dial-up  security  devices  can  provide  a  valuable  increase 
in  protection  from  intruders.  In  sane  cases,  this  protection  can  be  costly, 
however. 

The  following  conclusions  may  be  drawn  about  this  family  of  security  devices: 

a  The  present  dial-up  security  devices  are  a  valid  short-term  strategy  if  the 
present  system  security  is  inadequate  to  meet  the  perceived  threat  fran  dial-up 
intruders.  Note  that  vendors  are  beginning  to  include  these  security  functions 
in  newer  models  of  standard  conmuni cations  devices  at  little  or  no  extra  cost. 

«  These  devices  should  supplement,  not  replace  other  security  mechanisms.  If 
present  administrative  procedures  are  weak,  adding  the  devices  may  not  be  a 
valid  strategy.  The  full  security  capabilities  of  the  operating  system  should 
be  exploited  first, 

<a  The  devices  can  be  used  improperly  or  ineffectively.  For  example,  PPD  and 
security  modem  passwords  are  subject  to  the  same  adninistrative  weaknesses  as 
those  used  routinely  with  operating  systems.  Finally,  it  is  also  possible  to 
install  more  security  capability  than  needed. 

The  Bottom  T.inc>- 

Dial-up  communications  protection  devices  should  be  considered  if  the  system 
manager  is  unwilling  to  trust  the  fully  utilized  security  capability  of  the 
computer's  operating  system  to  keep  dial-up  intruders  out  of  the  system  or  its 
transmitted  information. 
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APPENDIX  A 

DIAL-UP  ACCESS  EROEBCriON 
BARDWAKE  SECURITY  DEVICES  —  HHODUCT  TABI£S 


Attached  to  this  appendix  is  a  series  of  four  product  tables.  Ihese  tables 
provide  information  about  all  classes  of  hardware  security  devices  used  for 
dial-up  access  protection,  except  for  encryption  and  inessage  authentication. 
For  the  latter,  the  number  of  products  and  vendors  is  very  large,  and  it  would 
be  impractical  to  list  them  all. 

The  tables  and  their  contents  are  as  follows: 

Table  Is    Port  Protection  Devices  (for  host-end  user  authentication) . 

Table  2s  Co ntr oiled-access  User  "Security"  Modems  and  Related  Devices 
(includes  multiplexers,  port  expanders,  port  contenders  with  security  features, 
protocol  converters,  and  modems  with  encryption  capability) . 

Table  3s    User  Authentication  Devices. 

Table  4s    Terminal  Authentication  Devices. 

Disclaiiaers 

The  National  Bureau  of  Standards  (NBS)  does  not  pro^/ide  evaluations  of 
canmercial  products  or  services,  ^fention  of  products  in  this  publication  in  no 
way  constitutes  endorsement  of  them  by  NBS  or  the  author.  All  products  of  the 
categories  listed  known  to  the  author  at  time  of  writing  have  been  included. 
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TABLE  1 


PRODUCT 
GATEWAY 


PORT  PROTECTION  DEVICES 


VENDOR 


Adaloqic 

1522  wistaria  Lane 
Los  Altos,  CA  94022 
(408)  996-8559 


NO. 

PORTS/LINES 
I  PROTECTED 


AUDITOR 
ACC  1000 


Access  Data  Systems  Inc. 
766  Big  Tree  Dr. ,  #104 
Longwood,  FL  3  27  50 


2  TO  128 


SIGNALMAN 
SECURE  12 
MODEM 


Anchor  Automation  Inc 
6913  Valljean  Ave. 
Van  Nuys,  CA  91406 
(818)  "997-7758 


NET/GUARD 


Avant-Garde  Computing 
80  0  Commerce  Parkway 
Mt.  Laurel,  NJ  0  80  5'4 
(609)  778-7000 


4  TO 
4096 


DIALSAFE 
SL 


DIALSAFE  3 
&  3  PLUS 


DIALSAFE 
18 


Backus  Data  Systems  Inc. 
1440  Koll  Circle,  #110 
San  Jose,  CA  95112 
(408)  279-8711 


3  TO  6 


6  TO  18 


TERMINAL 
SECURITY 
DEVICE  (TSD) 


TONE 

ACTIVATED 
TALKING 
SWITCH  (TATS) 


Black  Box  Catalog 
P.O.  Box  12800 
Pittsburgh,  P,A  15.241 
(412)  746-5500 


SLEUTH  & 
SUPERSLEUTH 

(latter  is 
with  modem) 


C.  H.  Systems 
8533  W.  Sunset  Blvd  #106 
Los  Angeles,  CA  90069 
(213)  854-3536 


SECURITY 
MODEM 

(also  a  secu- 
rity modem) 


Cermetek  Microelect 
1308  Borregas  Ave. 
Sunnyvale,  CA  94088 
(4081  752-5000 


PROTECTOR 


Compion  Corp. 
1101  E.  University 
Urbana,  XL  61801 
(800)  952-8888 


Ave 


A- 2 


SECURITY  FOR  DIAL-UP  LINES 


PRODUCT 


TABLE  1  (cont.) 
PORT  PROTECTION  DEVICES 

VENDOR 


NO. 

PORTS/LINES 
PROTECTED 


SECURENET 
DEFENDER  II 
SERIES 


DEFENDER  I IK 

(with  data 
encryption  & 
msg.  authen.) 


Digital  Pathways  Inc. 
201  Ravendale  Drive 
Mountain  View,  CA  94043 
(415)  964-0707 


8  TO  384 


8  TO  384 


GATEKEEPER 


Hall-Comsec  Ltd. 
1024  Wakerobin  Lane 
Fort  Collins,  CO  80526 
(303)  223-8039 


1  TO  16 


SECURITY 
MODEM 

(also  a  secu- 
rity modem) 


Inmac 

2465  Augustine  Drive 
Santa  Clara,  CA  95054 
(800)  547-5444 


ENTERCEPT 


Integrated  Applic.  Inc 
86  00  Harvard  Avenue 
Cleveland,  OH  44105 
(216)  341-6700 


BARRIER 


International  Anasazi 
2914  E.  Katella  Ave. #202 
Orange,  CA  92667 
(7147  ■?71-7250 


TRAQ-NET 
2000  Series 


LeeMah  Datacom  Scty  Co 
3948  Trust  Way 
Hayward,  CA  94545 
(415)  786-0790 


8  TO  128 


GTX-100 
MODEM 


Lockheed-GETEX  Co. 
1100  Cir.  75  Pkwy. 
Atlanta,  GA  30339 
(404)  951-0878 


#945 


DL  125/225 


DL  1000 

(also  a  tml 
authenticator 
with  DK  1125) 

DL  2400 

(PPD/modem  & 
tml.  authent. 
with  DK  2400) 


Optimum  Electronics 
P.O.  Box  250 
North  Haven,  CT  06473 
(203)  239-6098 


12  STD 


10  STD, 
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PRODUCT 


TABLE  1  (cont.) 
PORT  PROTECTION  DEVICES 

VENDOR 


NO. 

PORTS/LINES 
PROTECTED 


MICRO 
SENTRY 

1 

COMPUTER 
SENTRY 

TACT  Technology 
100  N.  20th  Street 
Philadelphia,  PA  19103 
(800)  523-0103 

1 

MULTI 
SENTRY 

16  TO  128 



SECURITY 
ACCESS 

JLM 

UNIT 



Terminal  Data  Corp, 
15733  Crabbs  Branch  Wav 
Rockville,  MD  20855 
(301)  921-8282 

1 

OZ  GUARDIAN 

Tri-Data  Inc. 
50  5   F,     Middlpfipld  Road 
Mountain  View,  CA  94039 
(415)  969-3700 

1 

INTERGUARD 
DCF/5251 

Wall  Data  Inc. 
17769  NE  78th  Place 
Redmond.  WA  9  80  52 
(800)  433-3388 

1 

LINEGUARD 
2001 

1 

LINEGUARD 
3000 

Western  Datacom 
5083  Market  Street 
Younqstown,  OH  44512 
(2167  788-6583 

2 

LINEGUARD 
3060 

15  TO  60 
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TABLE  2 

SECURITY  MODEMS  AND  MISCELLANEOUS  DEVICES 


PRODUCT 


1212  AD-2 
MODEM 


VENDOR 


Anderson-Jacobson,  Inc. 
521  Charcot  Avenue 
San  Jose,  CA  95131 
(408)  263-8520 


AI-SWITCH 
SERIES  170 

(data  switch) 


Applied  Innovations  Inc. 
2764  Sawbury  Blvd. 
Columbus.  OH  43085 
(614)  764-2400 


DIALMUX 

(security 
multiplexer) 


LINEMUX 

(secur  ity 
multiplexer ) 


Backus  Data  Systems  Inc, 
1440  Roll  Circle,  #110 
San  Jose.  CA    9  5ll2 
(408)  279-8711 


DIAL- 
CONTENDER 

(port  conten- 
der and  PPD) 


SECURITY 
MODEM 

(also  a  PPD) 


Cermetek  Microelect, 
1308  Borregas  Ave. 
Sunnyvale,  CA  94088 
(4087  752-5000 


CIPHERTEK  12 

ENCRYPTING 

MODEM 


Corp . 
Anaheim  Road 
Beach,  CA  90815 
)  494-7477 


Cr^gtoCom 

Long 
(213 


DATA  ARMOR 


Data  Armor 
3435  Gait  Ocean 
Ft.  Lauderdale, 
(305)  565-4258 


Drive 
FL  33308 


DATASENTRY  IV 

ENCRYPTING 

MODEM 


Datasentry  Technologies 
10  Volvo  Drive 
Rockleigh,  NJ  07647 
(201)  757-7900 


CHECKPOINT 
SWITCH 

(port  conten- 
der/expander ) 


Giltronix  Inc. 
3780  Fabian  Way 
Palo  Alto,  CA  94303 
(415)  493-1300 


SECURITY 
MODEM 

(also  a  PPD) 


Inmac 

2465  Augustine  Drive 
Santa  Clara,  CA  95054 
(800)  547-5444 


DL  2400  WITH 
DK  2400 

(PPD/modems  & 
tml,  authen.) 


Optimum  Electronics  Inc, 
p;0.   Box  25  0 
North  Haven,  CT  0647  3 
(203)  239-6(598 
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TABLE  2  (cont.) 
SECURITY  MODEMS  AND  MISCELLANEOUS  DEVICES 


PRODUCT 


DATALINK 
2400  MODEM 


SERIES  200 

(protocol 
converters) 


MAXWELL 
2400PA 

MODEM 


DES 

ACCELERATOR 

(data 

compression) 


VENDOR 


Penril  DataComm 
207  Perry  Parkway 
GaithersDurg,  MD  20877 
(301)  921-8600 

Protocol  Computers  Inc. 
6150  Canoqa  Ave. 
Woodland  Hills,  CA  91367 
(800)  423-5904 


Racal-Vadic 
1525  McCarthy  Blvd, 
Milpitas,  CA  95035 
(40B)  946-2227 

Telebyte  Corp. 
215  Oak  Street 
Natick,  MA  01760 


MD212-7E 
SECURITY- 
PLUS  MODEM 


Ven-Tel  Inc. 
2342  Walsh  Ave. 
Santa  Clara,  CA  95051 
(408)  727-5721 


MESA  424 
SECURITY 
MODEM  (with 
encryption) 


Western  Datacom 
5083  Market  Street 
Youngstown,  OH  445121 
(216J  788-6583 
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TABLE  3 
USER  AUTHENTICATION  DEVICES 


PRODUCT 


CONFIDANTE 

(hand-held, 
keyed  in 
challenge ) 


VENDOR 


Atalla  Corp. 


CODERCARD 

(smart  card 
inserted  into 
terminal  box) 


Codercard  Inc. 
16812  Redhill,  Suite  B 
Irvine,  CA..  92714 
(714)  662-7689 


DEFENDER  I ID 

(PPD  with 
hand-held 
user  authen.) 


Digital  Pathways  Inc. 
1060  E.  Meadow  Circle 
Palo  Alto,  CA  94303 
(415)  493-5544 


SAFE-WORD 

(hand-held , 
keyed  in 
challenge) 


Enigma  Logic  Inc. 
2151  Salvio  St.  4301 
Concord,  CA  94520 
(415)  8^7-5707 


GORDIAN 

(hand-held, 
reads  screen 
challenge) 


Gordian  Systems  Inc. 
3512  West  Bayshore  Rd 
Palo  Alto,  CA  94303 
(415)  494-8414 


TELECAM 

(uses  smart 
card  &  reader 


Logicam  Microcard  Inc. 
21  E.  40th  St.  #2007 
New  York.  NY  10016 
(212)  2li-9521 


HAGNAKEY 

(uses  magcard 
with  DataKey) 


MicroFrame  Inc. 
2551  Route  130 
Cranbury,  NJ  08512 
(609)  3^5-7800 


CAPS-1 

(hand-held , 
keyed  in 
challenge) 


Secure  Data  Assoc, 
9500  South  500  W.  #209 
Sandy,  UT  8  407  0 


SECUR-ID 

(hand-held, 

time-based 

response) 


Security  Dynamics 
15  Dwignt  St. 
Boston!  MA  02118 
(617)  542-0976 


PFX  PASSPORT 

(hand-held , 
keyed  in 
challenge) 


Sytek  Inc. 
1945  Charleston  Rd. 
Mountain  View,  CA  94043 
(415)  966-7300 


LAZERLOCK 

(hand-held, 
reads  screen 
challenge ) 


United  Software  Security 
6867  Elm  St.  #100 
Mclean,  VA  22101 
(703)  556-0007 
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TABLE  4 

TERMINAL  AUTHENTICATION  DEVICES 


PRODUCT 


VENDOR 


SEMAD 

(formerly 
CODEM) 


Adaptive  Systems  Inc. 
2527  N.  RiBge  Ave. 
Arlington  Hts. ,  IL  60004 
(312)  253-8429 


ARBITER 

(also  an 
encryptor ) 


Computer  Security  Sys. 
1  Huntington  Quaa.  #1C07 
Melville,  NY  11747 
(516)  752-7790 


SITE  AUTHEN- 
TICATION 
DEVICE 


icable  Manuf acturin 
4800  Dundas  St.  Wes 
Toronto.  ONT  M9A1B1 
(416)  236-1604 


DataLock 
&  DataKey 


MicroFrame  Inc, 
205  Livingston 
New  Brunswick, 
(201)  828-4499 


Ave . 

NJ  0  8901 


DL  1000 
WITH  DK  1125 
(PPD  w/  tml. 
authen.  dev.) 

DL  2400 
WITH  DK  2400 

(PPD/modem  & 
tml.  authen.) 


Optimum  Electronics  Inc 
p;o.    Box  250 
North  Haven,  CT  06473 
(203)  239-6098 


Note:     The  National  Bureau  of  Standards  (NBS)  endorses  NO 
commercial  products.     All  devices  of  the  types  specified  known  to 
the  author  at  the  time  of  publication  have  oeen  included  in  these 
tables.    No  endorsement,  approval  or  recommendation  of  them  by 
NBS  is  implied  by  their  inclusion. 
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